Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to capture 2 slightly different pattern of strings through regex and make it one field

ms208a
Explorer
‎05-15-2018 10:49 PM

Hello All ,
i wanted to capture the numeric values for below strings ctn.
CTN captured into 2 different formats.
First "ctn": "2148504794" - it has space between ":" and numeric values
Second ctn":"2148504794" - it doesn't have space between ":" and numeric values
like
"ctnId":279,"ctn":"2148504794",
processDMaaPMessage {"device": [{"ctn": "2148504794","status": "Restored"}]}}

i am using this rex
rex "ctn\"[:|: ] \"(?\d+)\","

but it seems it didn't work

please suggest a fix

Tags (1)
Reply

mayurr98
Super Champion
‎05-16-2018 03:35 AM

Try this run anywhere search

| makeresults 
| eval data="\"ctn\": \"2148504794\"" 
| append 
    [| makeresults 
    | eval data="ctn\":\"2148504794\""] 
| rex field=data "ctn\":(|\s+)\"(?<ctn>[^\"]+)"

In your environment you should try,

<your base search>| rex field=_raw "ctn\":(|\s+)\"(?<ctn>[^\"]+)"

let me know if this helps!

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-16-2018 03:57 AM

Also, you might want to start using a service like regex101.com. It would've shown you that your regex has invalid syntax. 🙂

0 Karma
Reply

ms208a
Explorer
‎05-16-2018 12:03 PM

Thanks Mayur, it works 🙂

i am trying to capture below reasonMessage also, but it capture
the colon with space only like "reasonMessage": "Uplift transaction failed due to SWC system error"}]}}*

i wanted to capture below strings as well.
"reasonMessage": "Uplift transaction failed due to SWC system error"}]}}

Thanks alot for your time and inputs.

0 Karma
Reply

mayurr98
Super Champion
‎05-22-2018 10:40 PM

Try this regex \"reasonMessage\"\:\s\"(?<reasonMessage>[^\"]+)

0 Karma
Reply

ms208a
Explorer
‎06-04-2018 04:54 PM

You rocks Mayur. Thanks again

0 Karma
Reply

niketn
Legend
‎06-04-2018 10:14 PM

@ms208a, if your issue is resolved, please accept the answer to mark this question as answered and help others facing similar issue in future.

Do up vote the comment/s that helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...