using regex for field extraction

dylanhess — Tue, 07 Dec 2021 14:39:04 GMT

I am trying to extract the action=* from this field, in this event its add. I've trying extracting through how you would typically extract fields but it doesn't want to capture all the different possible events, action=delete, action=replace etc.

UPDATE#011class=DATASET#011prof=IMSVS.*#011vol=P1CP02#011dsn=IMSVS.BETALIBA#011member=PYNMU49#011box=HTC-95-000000033771-0094#011action=ADD#011sum=PJXCPAI6

So I resorted to trying to manually write my own regex (?<=action=).*(?=#) but I cant seem to get the rex command to work or manually add my regex to the filed extraction

rex field=intent (?<=action=).*(?=#)

I get this error message when using the rex command above.

Error in 'rex' command: The regex '(?<=action=).*(?=#)' does not extract anything. It should specify at least one named group. Format: (?<name>...).

Re: using regex for field extraction

ITWhisperer — Tue, 07 Dec 2021 15:03:14 GMT

rex field=intent "action=(?<action>[^#]*)#"

Re: using regex for field extraction

dylanhess — Tue, 07 Dec 2021 15:10:34 GMT

Thank you so much!

topic Re: using regex for field extraction in Splunk Search

using regex for field extraction

Re: using regex for field extraction

Re: using regex for field extraction