Using regex to extract summary

bigll

in raw data I have portion that I would like to use in report.

"changes":{"description":{"before":"<some text or empty>","after":"<some text or empty>"}}

I created

rex summary= "changes":\{"description":\{"before":"<some text or empty>","after":"<some text or empty>"\}\})"

But it doesn't work.

Please advise

gcusello

Hi @bigll ,

as @ITWhisperer said, this seems to be a json format so the INDEXED_ENTRACTION = json option in props.conf or the spath command (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Spath) is the easiest solution to your requirement.

Then the rex command has a different format to extract fields: the fied definition must be located inside the rex definition, as the following example using your data:

| rex "before\":\"(?<summary_before>[^\"]+)\".\"after\":\"(?<summary_after>[^\"]+)"

You can see how to extract and test your regex at https://regex101.com/r/22aHz1/1

Ciao.

Giuseppe

ITWhisperer

This is not how rex works - you need to provide a pattern as a regular expression to identify what you want to extract. For example, do you want everything from "change" to "}}"? Does this pattern hold true for all your event where you want to extract this field?

Aside from that, this looks like json - why aren't you using spath or the other json functions to extract the json field?

bigll

Thank you for your message.

You are correct, I need everything between {} as a value of the field I can include in the table.

ITWhisperer

Try this

| rex "\"changes\":(?<changes>\{.*?\}\})"

Using regex to extract summary

regex

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?