Splunk Rex: Extracting fields of a string to a value

Question

I'm a newbie to SPlunk trying to do some dashboards and need help in extracting fields of a particular variable

Here in my case i want to extract only KB_List":"KB000119050,KB000119026,KB000119036" values to a column

Expected output:

KB_List
KB000119050,KB000119026,KB000119036

i have tried:

| rex field=_raw "\*"KB_List":(?<KB_List>\d+)\*"

highlighted the part below in the log

svc_log_ERROR","Impact":4.0,"CategoryId":"94296c474f356a0009019ffd0210c738","hasKBList":"true","lastNumOfAlerts":1,"splunkURL":false,"impactedInstances":"","highestSeverity":"Minor","Source":"hsym-plyfss01","reqEmail":"true","AlertGroup":"TIBCOP","reqPage":"","KB_List":"KB000119050,KB000119026,KB000119036","reqTicket":"true","autoTicket":true,"SupportGroup":"TESTPP","Environment":"UAT","Urgency":4.0,"AssetId":"AST000000000159689","LiveSupportGroup":"TESTPP","sentPageTo":"TESTPP"},"Notification":{"":{"requestId":"532938335"}},"":

score 2 · Answer 1 · answered Nov 19 '19 at 19:07

2

rex field=_raw "KB_List\":\"(?<KB_List>[^\"])\""

This regular expression will look for anything that begins with KB_List":", the capture everything except a ".

In your example, you are only capturing digits (\d+), whereas the contents in the KB_List field also contain characters ("KB" and ",")

answered Nov 19 '19 at 19:07

Simon Duff

2,631
2
7
15

THank you @Simon Duff but i couldn't get any output with above? any pointers – – Rczone Nov 19 '19 at 20:11

score 2 · Answer 2 · answered Nov 19 '19 at 21:46

2

Alas:

I figured out by looking into so many articles:

| rex "KB_List\":\"(?<KB_Listed>[^\"]+)" | table KB_Listed

answered Nov 19 '19 at 21:46

Rczone

493
1
5
18

Not that it makes a *great* deal of difference, but this regex is ever so slightly more efficient: `KB_List[^K]+(?[^\"]+)` – warren Apr 22 '20 at 17:45

Splunk Rex: Extracting fields of a string to a value

2 Answers2