I wonder whether someone could possibly help me please.
Firstly my apologies for what may seem a simple question, but I'm really struggling with this.
I'm trying to extract a nino field from my raw data in Splunk which is in the following format "nino\":\"AB123456A\".
I've read quite a number of tutorials this morning, but I've still not been able to find the 'Rex' expression for this. I just wondered whether someone may be able to provide some guidance on what the 'Rex' expression would be for this.
The rex search command is short for regular expression (also known as regex or regexp).
You can something like the following query, which looks at the raw even and tries to parse out the value for nino:
index=foo | rex field=_raw "^\"\\w+\\\\\":\\\\\"(?P<nino>[^\\\\]+)"
Append | table nino if you want to really be sure the field was extracted, which you can easily verify in the table
index=foo | rex field=_raw "^\"\\w+\\\\\":\\\\\"(?P<nino>[^\\\\]+)" | table nino
I generated the regular expression using the field extractor, which is pretty intuitive. You'll probably want to do your own field extraction since your data will not be exactly like the example you added. Ideally, you'll just need to define a sourcetype with the field extraction so you don't need to use the rex search command.