topic How do I edit my rex search to extract a string between two other strings from a sample line of data? in Splunk Search

How do I edit my rex search to extract a string between two other strings from a sample line of data?

chlily — Fri, 28 Aug 2015 11:43:48 GMT

Hi,

How do I get "x868686@test.com" between "Account:" and "Source Workstation:" from following text:

Account: x868686@test.com Source Workstation:

I've tried:

eventtype=abcd" | rex field=test "^d+:d+: Account : (?<txid>.*?) : Source Workstation" | fields account

but still doesn't work.

aholzer — Fri, 28 Aug 2015 13:10:55 GMT

You seem to have a number of extra colons (:) in your regex that you don't need.

Try the following. Use field=_raw unless there is a field that contains everything from "Account:" to "Source Workstation".

eventtype=abcd | rex field=_raw "Account: (?P<account>[^\s]+) Source Workstation"

That should extract everything that isn't a whitespace (\s) between "Account: " and " Source" into a field called "account".

Hope this helps

FritzWittwer_ol — Fri, 28 Aug 2015 13:14:45 GMT

The following rex places x868686@test.com in txid:

<your search here> | rex field=_raw ".*Account:\s+(?<txid>\S+)\s+Source Workstation:.*"

I assume there is always a space before and after the txid, and never a space in the txid

swetasoneji — Wed, 18 Apr 2018 16:37:40 GMT

message:Receiving exposure from: net.tcp:\/\/URL\/Expsr\/Exp for account(s): 8568
How would extract account number with rex

Tried this but didn't bring any result.

| rex field=_raw "Exp for account(s):\s+(?[^,]+)"

FritzWittwer_ol — Wed, 18 Apr 2018 20:46:48 GMT

Try

| makeresults
| eval xx ="net.tcp:\/\/URL\/Expsr\/Exp for account(s): 8568"
| rex field=xx "Exp for account(s):\s+(?\d+)"

you have to escape the braces with \ and add a match field name (number)