Solved: Re: How to extract data using rex?

Learner · ‎12-01-2020

Hi all,

I am having data as follows:

REPORT RequestId: xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1

i want a field as CorrelationId3 which is having xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1 value

renjith_nair · ‎12-02-2020

Edited the first answer and should work for space and tabs

|rex "RequestId:\s+(?<CorrelationId3>[^\s]+)"

If the format of the string is only letters,numbers and - then ,you may use

|rex "RequestId:\s+(?<CorrelationId3>[a-z0-9A-Z-]+)"

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Learner · ‎12-10-2020

thank you @renjith_nair for help. now im again trying to extract correlation_id as CorrelationId4.

{"data":{"correlation_id":"51g0d88f-3ab8-4mom-betb-b31ed6e1662z","u_originator_uri"

i used following query to extract value:

 | rex "\{\"correlation\_id\"\:\"(?<CorrelationId4>[^\<]*)\s*\""

but now, i am not getting field as CorrelationId4. request you to guide further on this

renjith_nair · ‎12-10-2020

try

correlation_id\":\"(?<CorrelationId4>[^\"]+)

---
What goes around comes around. If it helps, hit it with Karma 🙂

Learner · ‎12-20-2020

i have tried

| rex "correlation_id\\":\\"(?<CorrelationId4>[^\"]+)\\"

but it gives me error as

Error in 'rex' command: Encountered the following error while compiling the regex 'correlation_id\:\(?<CorrelationId4>[^"]+)\': Regex: unmatched closing parenthesis.

renjith_nair · ‎12-20-2020

1. You dont need to use \\ but only single \

2. The last quote (") should not be escaped with \\

Please see below sample

|makeresults|eval _raw="{\"data\":{\"correlation_id\":\"51g0d88f-3ab8-4mom-betb-b31ed6e1662z\",\"u_originator_uri\""
|rex "correlation_id\":\"(?<CorrelationId4>[^\"]+)"

---
What goes around comes around. If it helps, hit it with Karma 🙂

Learner · ‎12-20-2020

not getting the data

Learner · ‎12-10-2020

not getting the data.

what if data is like:

"{\"data\":{\"correlation_id:\"51g0d88f-3ab8-4mom-betb-b31ed6e1662z\",\"u_originator_uri

renjith_nair · ‎12-01-2020

Do you have any characters/strings after the value ?

your search
|rex "RequestId:\s+(?<CorrelationId3>.*)"

If you have any chars after the value , add them after the last parenthesis (")")

---
What goes around comes around. If it helps, hit it with Karma 🙂

Learner · ‎12-01-2020

there is more raw data after xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1 as 'xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1 Duration ---'.

after using using your query, i'm getting data as 'xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1 Duration ---'

but i want data as 'xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1'

renjith_nair · ‎12-01-2020

As mentioned, have you tried adding that string after the parenthesis?

|rex RequestId:\s+(?<CorrelationId3>[^\s]+)

---
What goes around comes around. If it helps, hit it with Karma 🙂

Learner · ‎12-01-2020

yes, but still not getting right answer. i guess there is tab space rather than blank space before Duration. if tab, then how to write that?

renjith_nair · ‎12-02-2020

Edited the first answer and should work for space and tabs

|rex "RequestId:\s+(?<CorrelationId3>[^\s]+)"

If the format of the string is only letters,numbers and - then ,you may use

|rex "RequestId:\s+(?<CorrelationId3>[a-z0-9A-Z-]+)"

---
What goes around comes around. If it helps, hit it with Karma 🙂

How to extract data using rex?

field extraction

rex

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?