rickygrimes
Reputation: 2716
Splunk escaped string regex to extract fields
I have a payload as below that has escaped strings, and I need to extract three attributes from this string - requestId, paymentBankType and amountTotal. I have the below query but amountTotal is always coming up as null.
index=test "mySearch" | eval _raw=replace(_raw,"\\\\\"","\"")
|rex "requestId\"\:\"(?<requestID>([^\"]+))"
|rex "paymentBankType\"\:\"(?<paymentBankType>([^\"]+))"
|rex ""amountTotal\"\:\{"currencyAmount\"\:(?<amountTotal>([^\"]+))"
| table requestID, paymentBankType, amountTotal
This is my payload. This can vary so I really don't want to feed the query into my Splunk search. I need to filter through millions of such JSON strings, and each can have different values for requestId, paymentBankType and amountTotal. I am really not good at writing Splunk queries.
{\"eventId\":\"430215f5-d6e5-4c3d-b1e0-7f36dc22f76d\",\"eventType\":\"TEST\",\"eventTime\":\"2023-03-21T15:04:14.479+0000\",\"eventPayload\":{\"requestId\":\"100000023679171\"\"paymentMethod\":[{\"paymentMethodId\":\"e17579d2-51d6-4b03-a910-49886dcfa21a\",\"paymentBankType\":\"AMEX\",\"paymentType\":\"CREDITCARD\",\"amountTotal\":{\"currencyAmount\":312.11,\"currencyUnit\":\"USD\"}}
Upvotes: 0
Views: 746
Answers (1)
RichG
Reputation: 9926
There's an unescaped quotation mark in the regex for amountTotal. Try | rex "amountTotal\":\{\"currencyAmount\":(?<amountTotal>([^\"]+))"
Upvotes: 1
Related Questions
- Splunk query to extract fields from log data
- Splunk extract nested fields from JSON string
- How to extract fields from an escaped JSON(nested) in splunk?
- Using Splunk rex to extract String from logs
- Splunk - regex extract fields from source
- How to extract fields from JSON string in Splunk
- Splunk extract fields from source
- Unable to extract JSON fields in Splunk
- Negative regex in splunk (not using fields)