I have a log that looks like this:
msg: time=2017-10-25.15:53:07:827 | msg2=somedata:sometitle[{"key1":"value1","key2":"value2"}]
I want to get the value2 and here is my splunk query:
index="some_index" | rex "key2\s*(?<data2>.+)\s*"
here is the extracted data2: \',\'value2\'\'
I couldn't figure out how to exclude the slashes and just get value2. Please help. thanks.
You just need to adjust your regex string to skip the quotes.
Try ... | rex field=msg2 "key2\":\"(?<data2>[^\"]+)" | ...