https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-a-string-within-a-longer-string-using-regex/m-p/380815#M111424 <P><CODE>The suggestion did not work, I initially needed to remove the first pipe before 'makeresults' because Splunk was complaining, but afterwards nothing showed up in the results.</CODE><BR /> No. that first pipe is needed for makeresults command. <BR /> The makeresults command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Makeresults">https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Makeresults</A></P> <P>@whrg command works fine.. please check the screenshot:<BR /> <CODE>| makeresults count=1<BR /> | eval _raw="java.lang.RuntimeException: {Here is my random string} at com.quantum.myApp bla bla bla"<BR /> | rex field=_raw "java\.lang\.RuntimeException:\s+\{(?[^\}]+)"</CODE></P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6311i4C2C478E3A879FF8/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>(PS - please accept @whrg 's answer as the accepted answer.. you can upvote this answer <span class="lia-unicode-emoji" title=":winking_face:">😉</span> )</P> Tue, 08 Jan 2019 08:42:42 GMT inventsekar 2019-01-08T08:42:42Z https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-a-string-within-a-longer-string-using-regex/m-p/380811#M111420 <P>I have an event that has a key-value output, and I need to extract the random string within the long string, for example, if my output string was "java.lang.RuntimeException: {Here is my random string} at com.quantum.myApp bla bla bla .....". How can I format the output to capture my random string. I've tried replace and rex unsuccessfully but it could be I did it wrong.</P> Wed, 26 Dec 2018 09:38:38 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-a-string-within-a-longer-string-using-regex/m-p/380811#M111420 BenzionYunger 2018-12-26T09:38:38Z https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-a-string-within-a-longer-string-using-regex/m-p/380812#M111421 <P>Check out this regex:</P> <PRE><CODE>java\.lang\.RuntimeException:\s+\{(?&lt;Exception&gt;[^\}]+) </CODE></PRE> <P>Here you can see it in action:</P> <PRE><CODE>| makeresults count=1 | eval _raw="java.lang.RuntimeException: {Here is my random string} at com.quantum.myApp bla bla bla" | rex field=_raw "java\.lang\.RuntimeException:\s+\{(?&lt;Exception&gt;[^\}]+)" </CODE></PRE> <P>Now there is a new field named "Exception" with the value "Here is my random string".</P> Wed, 26 Dec 2018 14:27:19 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-a-string-within-a-longer-string-using-regex/m-p/380812#M111421 whrg 2018-12-26T14:27:19Z https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-a-string-within-a-longer-string-using-regex/m-p/380813#M111422 <P>hi @BenzionYunger,</P> <P>Did you have a chance to check out whrg's answer? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. </P> <P>Thanks for posting!</P> Tue, 08 Jan 2019 00:07:50 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-a-string-within-a-longer-string-using-regex/m-p/380813#M111422 mstjohn_splunk 2019-01-08T00:07:50Z https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-a-string-within-a-longer-string-using-regex/m-p/380814#M111423 <P>The suggestion did not work, I initially needed to remove the first pipe before 'makeresults' because Splunk was complaining, but afterwards nothing showed up in the results. My only guess is the raw expression is a randomly long string and I'm cutting if off after the first 12 words, I tried adding a wildcard at the end, but it didn't help. Maybe something needs to be refined. Here is the code I tried:<BR /> <CODE>index="myIndex" makeresults count=1<BR /> | eval _raw="java.lang.RuntimeException: Sign in error message at com.quantum"<BR /> | rex field=_raw "java\.lang\.RuntimeException:\s+\{(?[^\}]+)"</CODE></P> Tue, 08 Jan 2019 07:19:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-a-string-within-a-longer-string-using-regex/m-p/380814#M111423 BenzionYunger 2019-01-08T07:19:03Z https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-a-string-within-a-longer-string-using-regex/m-p/380815#M111424 <P><CODE>The suggestion did not work, I initially needed to remove the first pipe before 'makeresults' because Splunk was complaining, but afterwards nothing showed up in the results.</CODE><BR /> No. that first pipe is needed for makeresults command. <BR /> The makeresults command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Makeresults">https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Makeresults</A></P> <P>@whrg command works fine.. please check the screenshot:<BR /> <CODE>| makeresults count=1<BR /> | eval _raw="java.lang.RuntimeException: {Here is my random string} at com.quantum.myApp bla bla bla"<BR /> | rex field=_raw "java\.lang\.RuntimeException:\s+\{(?[^\}]+)"</CODE></P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6311i4C2C478E3A879FF8/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>(PS - please accept @whrg 's answer as the accepted answer.. you can upvote this answer <span class="lia-unicode-emoji" title=":winking_face:">😉</span> )</P> Tue, 08 Jan 2019 08:42:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-a-string-within-a-longer-string-using-regex/m-p/380815#M111424 inventsekar 2019-01-08T08:42:42Z