Alert rule enrichment regex guide

Ngauthier · 3 weeks ago

Hello,

Editing as I have gained more information since initially posting
Please note that I cannot use any scripting, and everything needs to be done within the www.instance.service-now.com/now/sow/enrich-automation/x page.

I am trying to figure out how to extract specific data from a serialized json string within the additional info field. The only thing I've been able to do so far is use (.....)*. to extract speficied text by positioning, but this is extremely unreliable. My string looks a bit like this

{"json_rootfield1":"{\"custom_field1\":\"Value_1 \\n\",\"custom_field2\":\"Value_2 \\n\",\"custom_field3\":\"Value3\",\"custom_field4\":\"Value4 \\n\",\"custom_field5\":\"Value5\",\"custom_field6\":\"Value6\",\"custom_field7\":\"Value7\",\"custom_field8\":\"Value8\"}","json_rootfield2":true,"json_rootfield3":"1234"}

How would I, for example, extract the rootvalue2 from this string? Is there any documentation anywhere that is more in depth than the SNow page because that one is extremely barebones. The goal is to do this without the use of scripting.

I have successfully extracted using regex101. However, ServiceNow uses it's own regex backend with slight differences. even using \d{4} fails to extract a 4 digit number from a string such as this:

<99>TEXT: 'TEXT_9999' INFO: INFORMATION

I've also uploaded two sample regex which should theoretically work, but do not.

Ngauthier · 3 weeks ago

I've found the nomenclature for this to function properly, at least for the following example. Given the text below
<99>TEXT: 'TEXT_9999' INFO: INFORMATION

a regex of .*([0-9]{4}).* will output the proper information.
This seems to be due to two reasons. The search does not look through the entire input by default, hence the need for .* encapsulating the query, which returns a match for the entire input. We then require the regex to be within parenthesis to create the group, outputting the desired data. Here is a screen capture explaining the results

I will mark this as resolved for future reference. Thank you everyone

View solution in original post

Ngauthier · 3 weeks ago

Hi @Tejas Adhalrao

I cannot use any scripting. This needs to be done solely within the Alert Enrichment section

You are correct in the fact that it is a double encoded json. However, it can still be parsed with regex using external tools such as regex101, as shown in the attached image.

This however does not work within the ServiceNow environment

service-now.com/now/sow/enrich-automation/-1

This is because service-now uses a custom regex in the backend. What I am looking for is documentation for said regex, or help to extract relevant information

Ngauthier · 3 weeks ago

I've found the nomenclature for this to function properly, at least for the following example. Given the text below
<99>TEXT: 'TEXT_9999' INFO: INFORMATION

a regex of .*([0-9]{4}).* will output the proper information.
This seems to be due to two reasons. The search does not look through the entire input by default, hence the need for .* encapsulating the query, which returns a match for the entire input. We then require the regex to be within parenthesis to create the group, outputting the desired data. Here is a screen capture explaining the results

I will mark this as resolved for future reference. Thank you everyone