i have data as "{\"data\":{\"correlation_id:\"51g0d88f-3ab8-4mom-betb-b31ed6e1662z\",\"u_originator_uri in _raw. i want to extract values of correlation_id as CorrelationId4
Asked
Active
Viewed 1,665 times
0
Dshruti
- 11
- 1
-
Best to use a JSON parser to easily extract a field, such as `JSON.parse(_raw).data.correlation_id` will return the value of `correlation_id`. – Peter Thoeny Dec 21 '20 at 04:08
-
i want splunk query to extract data. as i have user role so can not extract data in json format – Dshruti Dec 21 '20 at 04:53
-
What do you mean by `correlation_id as CorrelationId4` ? – Hamza Abdaoui Dec 21 '20 at 08:01
-
i want to extract value of correlation_id and save it into field CorrelationId4 – Dshruti Dec 21 '20 at 13:15
1 Answers
0
Best to use a JSON parser to easily extract a field, such as JSON.parse(_raw).data.correlation_id will return the value of correlation_id.
I do not have splunk to test, but try this if you want to use the rex splunk command with a regular expression:
rex field=_raw "correlation_id:.\"(?<CorrelationId4>.*?).\""
Detail docs at https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Rex
Peter Thoeny
- 7,379
- 1
- 10
- 20