Solved: How to extract a field with special characters?

mugilbala · ‎05-17-2018

Hi,

I have a log statement that prints service execution time like -

Service Response : {"entity":"{\"transactionId\":\"39182d7a-7f34-4c28-a0f2-9b42b9b206df\",\"executionTimeInMillis\":112,"status":201}

I am trying to extract the value of "executionTimeInMillis".

My search statement - index="xyz" "Service Response :" | search "\"executionTimeInMillis\"\":"(?exeTime[^\$]*)," | table _time, exeTime
Note: I have added <> to exeTime. It is not showing in the question.

However, it did not show any results. Can you help me with this query?

somesoni2 · ‎05-17-2018

The field extraction command is rex, not search. There may be few issues with your regex, e.g. there is no double quotes after colon. So try this

index="xyz" "Service Response :" | rex "\"executionTimeInMillis[^\:]+\:\s*(?<exeTime>[^,]+)" | table _time, exeTime

View solution in original post

somesoni2 · ‎05-17-2018

The field extraction command is rex, not search. There may be few issues with your regex, e.g. there is no double quotes after colon. So try this

index="xyz" "Service Response :" | rex "\"executionTimeInMillis[^\:]+\:\s*(?<exeTime>[^,]+)" | table _time, exeTime

mugilbala · ‎05-17-2018

Thank you so much. It worked. Appreciate your help.

How to extract a field with special characters?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio