topic Re: How to extract a field using rex? in Splunk Search

How to extract a field using rex?

iamtrying — Fri, 24 May 2019 17:46:43 GMT

This is the string in the log

I 2019-05-23 18:22:38.984Z 7881 216 XObk7A6CU-I62gr3UIKfXQAAAAs 1@43465473@A WPB-Log: file=/users/aa/test.cls method=fetchdata ID=Qwe123

I want to extract a field marked as bold to build a table.
Please note that all strings are variable so the rex should be generic.

Thanks for the help!

Re: How to extract a field using rex?

dmarling — Fri, 24 May 2019 18:26:07 GMT

Assuming that data is always in the same place this should grab it:

| rex "\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{3}Z \d+ \d+ (?<fieldName>[^\s]+)"

You'll need to choose the field name you want and replace fieldName with whatever you want to label that field. Here's a link to regex 101 that shows it working on the single example you provided: https://regex101.com/r/TdkzcA/1

Re: How to extract a field using rex?

somesoni2 — Fri, 24 May 2019 18:35:23 GMT

Give this a try (assuming the value you want to extract is 6th element from the start)

your base search
| rex "^(\S+\s+){5}(?<YourField>\S+)"

Re: How to extract a field using rex?

iamtrying — Fri, 24 May 2019 23:18:10 GMT

It worked too