Reputation: 1934
I'm trying to export query results from Splunk into a Python application. I've got Key-Value fields, and one of those has a json string (that is a json structure wrapped in quotes).
First I had encountered an issue where using the table
command would only return the opening bracket (e.g. "{") - which I then resolved by extracting the text via rex
.
However, despite the query working well in Splunk UI, including the download option, whenever I query via the SDK I keep getting "{" as a value. I've tried CSV/JSON/XML exports, and all experience the same issue.
Any suggestions?
Upvotes: 0
Views: 536
Reputation: 1934
Looks like the issue was an escaping one - I originally had:
| rex field=_raw ".*filter=(?<filter>\".*\}\"),"
Which when replaced with the following, worked:
| rex field=_raw ".*filter=(?<filter>\\".*\}\\"),"
Escaping had to be double in order to work properly.
Upvotes: 1