topic How to use regex in field extraction? in Splunk Search

How to use regex in field extraction?

digital_alchemy — Wed, 11 Jun 2014 18:23:26 GMT

I can't seem to get my regex to work as a field extraction. below is an example string and the regex I'm trying to use.

Sample string:
ab&q=john+schneider+singer+-actor&oq=john+schneider+singer+-actor&g

Regex:
(?<=ab&q=)\S*(?=&oq)

This is what I've been trying in Splunk:
rex field=url "(?<=ab&q=)\S*(?=&oq)(?)"

Basically I want to extract everything between "ab&q=" and "&oq"

aweitzman — Wed, 11 Jun 2014 18:44:49 GMT

I think you're looking for something like this:

rex field=url "ab&q=(?<fieldname>\S*)&oq(.*)"

digital_alchemy — Wed, 11 Jun 2014 19:01:48 GMT

Works great thanks.