Solved: Re: How do you use the rex command to obtain value...

JyotiP · ‎09-05-2017

I have a query :

host=*perf* bf19f0c3-2f10-4db2-b33f-efb946b0ee24 {"StatusCode":204* | table Message
Out put  of the above query is as follows :
{"StatusCode":204,"ReasonPhrase":"No Content","Method":"GET","PathAndQuery":"/api/ibor/v2/positionValuations?businessDate=2017-09-04\u0026closeoutSchemeId=1\u0026expand=*\u0026logicalTimeId=150\u0026positionStateId=40","MessageType":"Response"}

I want to take out the following value :
1. businessDate
2. positionStateId
3. closeoutSchemeId

and put them in a table in which the basic value should be businessDate=2017-09-04, positionStateId=40,closeoutSchemeId=1

gcusello · ‎09-06-2017

Hi JyotiP,
use this regex with rex command

| rex ".*businessDate(?<businessDate>[^\\]*)\\u0026closeoutSchemeId\=(?<closeoutSchemeId>[^\\]*)\\u0026.*positionStateId\=(?<positionStateId>[^\"]*)"

or extracting fields.

Test it at https://regex101.com/r/USbhRP/1

Bye.
Giuseppe

View solution in original post

amy25 · ‎10-29-2018

Hi
I know it's too late to answer but I would like to contribute the following idea:

|rex ".businessDate=(?\d.-\d*)\.closeoutSchemeId=(?\d\u\d).positionStateId=(?\d)"

gcusello · ‎09-06-2017

Hi JyotiP,
use this regex with rex command

| rex ".*businessDate(?<businessDate>[^\\]*)\\u0026closeoutSchemeId\=(?<closeoutSchemeId>[^\\]*)\\u0026.*positionStateId\=(?<positionStateId>[^\"]*)"

or extracting fields.

Test it at https://regex101.com/r/USbhRP/1

Bye.
Giuseppe

JyotiP · ‎09-06-2017

{"StatusCode":204,"ReasonPhrase":"No Content","Method":"GET","PathAndQuery":"/api/ibor/v2/positionValuations?businessDate=2017-09-04\u0026closeoutSchemeId=1\u0026expand=*\u0026logicalTimeId=150\u0026positionStateId=40","MessageType":"Response"}

The highlighted value (\u0026expand=*\u0026logicalTimeId=150\u0026) are unique every time I hit it will change, and for different query the values are different but the
businessDate=2017-09-04
closeoutSchemeId=1
positionStateId=40
will be as it is. So I want to capture only above 3 value irrespective of the values followed by the above values.

JyotiP · ‎09-06-2017

Hi Giuseppe,

It is not working because "\" is not supporting.

JyotiP · ‎09-06-2017

@cusello,
tried but given the a pattern error please refer the following
https://regex101.com/r/USbhRP/1 and please select javascript.

gcusello · ‎09-06-2017

I usually use regexes in Splunk never in Javascripts, anyway try something like

.*businessDate\=([^\\]*)\\u0026closeoutSchemeId\=([^\\]*)\\u0026.*positionStateId\=([^\"]*)

where:

Group1 is businessDate
Group2 is closeoutSchemeId
Group3 is positionStateId

test it in https://regex101.com/r/USbhRP/3
Bye.
Giuseppe

JyotiP · ‎09-06-2017

Output table should contain the values as follows :

businessDate=2017-09-04,
positionStateId=40,
closeoutSchemeId=1

How do you use the rex command to obtain values to be put into a table?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...