Solved: Help with | rex command to extract a field?

adhwihhiahwd · ‎06-09-2023

hello everyone,

my event data looks like this

{\"status\":1,\"httpStatus\":200,\"event\":\"getBooks\"}

My goal is to extract httpStatus as a field so I can filter events by their codes(e.g 200, 400 ..)

I learned that we need to escape backslashes and double quotes but the command below didn't work

| rex "httpStatus\\\":(?<http_status>\d+)"

What did i do incorrectly here?

gcusello · ‎06-09-2023

I suppose that yu tested yur regex in regex101.com and it runs but it doesn't run in Splunk,

so, try using four back slashes

| rex "httpStatus\\\\":(?<http_status>\d+)"

Ciao.

Giuseppe

adhwihhiahwd · ‎06-09-2023

wow thanks!

4 back slashes worked...

| rex "httpStatus\\\\\":(?<http_status>\d+)"

gcusello · ‎06-09-2023

Splunk mysteries!!!

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello · ‎06-09-2023

I suppose that yu tested yur regex in regex101.com and it runs but it doesn't run in Splunk,

so, try using four back slashes

| rex "httpStatus\\\\":(?<http_status>\d+)"

Ciao.

Giuseppe

Help with | rex command to extract a field?