Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

regular expression json

efaundez
Path Finder
‎07-06-2018 01:10 PM

good afternoon

   I'm trying to capture a particular field, but sometimes my events come several times, and declaring the regular expression only captures a value.

   Any suggestions?

\"(code_key)\"\s*:\s*\"?(?[\w\d:.-]*)\"?

{ "_id" : { [ { "network_id_key" : "99999999" } ], "avps_key" : [], "services_key" : [ { "enabled_key" : true, "avps_key" : [], "code_key" : "IM_Prepago" } ], "billing_info_key" : {}, "start_date_key" : { "$date" : "2015-01-29T03:50:28.000-0300" }, "realm_key" : null, "name_key" : {}, "end_date_key" : null }

{ "_id" : {[ { "network_id_key" : "99999999" } ], "services_key" : [ { "avps_key" : [], "enabled_key" : true, "code_key" : "IM_Prepago" }, { "avps_key" : null, "enabled_key" : true, "code_key" : "TDE_IM_PP" }, { "code_key" : "TDE_ROAM_DEF", "avps_key" : null, "enabled_key" : true } ], "status_key" : "ACTIVE", "start_date_key" : { "$date" : "2015-01-29T03:50:28.000-0300" } }

{ "_id" : { [ { "avps_key" : [], "enabled_key" : true, "code_key" : "IM_Prepago" }, { "avps_key" : null, "enabled_key" : true, "code_key" : "TDE_IM_PP" }, { "code_key" : "TDE_ROAM_DEF", "avps_key" : null, "enabled_key" : true } ], "status_key" : "ACTIVE", "start_date_key" : { "$date" : "2015-01-29T03:50:28.000-0300" } }

alt text

Preview file
1 KB
0 Karma
Reply

Sukisen1981
Champion
‎07-09-2018 09:21 AM

As @ cpetterborg says

If you are trying this at search time all you need to do is add a max_match=0 after your regex, assuming your regex is giving the correct value for 1 extraction... something like `rex field=_raw "(code_key)"\s*:\s*"?(?[\w\d:.-]*?)" max_match=0. Has your rejected got corrupted while pasting here?Bsically just pipe max_match after the regex that successfully extracts the first value.

0 Karma
Reply

efaundez
Path Finder
‎07-06-2018 02:31 PM

thanks for your reply
  
   Splunk continues only taking into account 1 only value and the others ignore them 😞

alt text

alt text

Preview file
1 KB
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎07-06-2018 03:35 PM

Again - Are you wanting to do this at search time (in the search string - e.g.rex, or auto field extraction), or at index time?

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎07-06-2018 01:45 PM

So you are getting ONLY the first match and not the other two, but you want all three?

And are you wanting to do this at search time (in the search string - e.g.rex, or auto field extraction), or at index time?

Also, for clarity - your regex seems to have gotten a little eaten by the formatting:

"(code_key)"\s*:\s*"?(?<code_key>[\w\d\:.-]*)"?

I also took a few backslashes out that weren't needed.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...