Re: How to extract a field within quotes and extra...

dernst · ‎02-10-2016

Hi Guys,

I am new to Splunk and regex and trying to extract a given field plus its value. So in the example below, the field is user and the value is 11111111, but this could be anything like a name or description etc. What is the easiest way to select a field by name and extract its value based on the following second set of quotes?

"user" : "11111111"

Deepz2612 · ‎12-16-2017

Hi ,

For logs such as below please help me in extracting the data enclosed within double quotes.

Contact Dealership Name="Amery",Role= "IT_Deal"
Contact Dealership Name="US",Role= "IT_Deal"
Contact Dealership Name="J. Nuckolls, Inc. dba Fenton Auto Sales",Role= "IT_DEAN"

I tried using rex field=_raw "Contact Dealership Name=\"(?[^,]+)\""
But the results are as below :
Dealership_Name
Amery
US
but J. Nuckolls, Inc. dba Fenton Auto Sales is not included in the result.
how the rex_field has to be modified to capture that also.

niketn · ‎12-16-2017

@Deepz2612, please post a new question. Also for Sample Data and SPL please use code button (101010) on Splunk Answers so that special character does not escape.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

MuS · ‎02-10-2016

Hi dernst,

take a look at this answer https://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html which provides an example to the same question. You simply have to use this "([^"]+)"\s:\s"([^"]+)" as your regex in transforms.conf.

Hope this helps ...

cheers, MuS

How to extract a field within quotes and extract its value based on the following second set of quotes?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability