Re: Extract data from within only double quotes "*...

chrisschum · ‎08-08-2018

How can you only extract data from a _raw log where the data I want is separated with double quotes? So it's "this is the only data I want"

Thanks!

niketn · ‎08-08-2018

@chrisschum as far as I understand your intent is not to remove but to extract data from within quotes. While some more patter for identifying correct double quote to start the extraction would be useful, you can try out the following rex command to begin with:

| makeresults
| eval _raw="my sample raw data with text string... \"this is the only data I want\"... nothing else matters"
| rex "\"(?<myfield>[^\"]+)\""

Please try out and confirm. Once you have tested the rex with your sample data, you can move the same to Fields Extraction Knowledge Object, using Interactive Field Extraction or directly editing props.conf file.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

chrisschum · ‎08-09-2018

Thanks! That works. I have one followup question. In the "this is the only data I want" how do I make it so that data can be anything alphanumeric. So anything between the double quotes can be any data?

Thanks!

493669 · ‎08-08-2018

The SEDCMD-* option in props.conf can be used to remove unwanted part of log entries.
You can refer here- http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Anonymizedata

[<YOURSourcetype Name>]
 SEDCMD-strip-detail-msg = s/^[^"]+//g

Please check Regex
its format is SEDCMD-<class> = s/<regex>/<replacement>/flags

chrisschum · ‎08-09-2018

Thanks! But I want to keep the log data, just extract the data between the double quotes.

Extract data from within only double quotes "*" in a _raw log

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!