topic Regex formating help in Splunk Search

Regex formating help

AHEARNJ — Tue, 08 Aug 2017 13:14:32 GMT

Can anyone help me format a regular expression for Splunk?
I can create the regular expression using regexr.com and I have 2 non-capturing groups and a capturing group, but I am not sure how to format the regular expression for splunk.
Any tips or help you can provide is appreciated.

Here is my string:
string1="First Name (DEPT-User) account provisioned"
And the regex:
(:?string1=")([A-Za-z0-9() -]+)(:?account provisioned")
Thanks,

Re: Regex formating help

niketn — Tue, 08 Aug 2017 16:32:18 GMT

Does your data contain string1="First Name (DEPT-User) account provisioned"? Ideally Splunk should have automatically identified this as key value pair during search time. Which implies you would need to create field extraction/rex on string1. Have you checked Interesting Fields in Verbose mode whether string1 field is already available or not? Which is the field you want to extract?

If you want to extract First Name (DEPT-User), following rex should work:

<YourBaseSearch> 
| rex field=_raw "string1=\"(?<Data>[^\)]+\)) account provisioned\""

Re: Regex formating help

niketn — Tue, 08 Aug 2017 17:10:48 GMT

@AHEARNJ, I have converted comment to answer. Please accept to mark as answered!