I have the event as follows
2021-07-12T18:40:56 host_abc MAIN 1 19 1.0.12.34 user_abc "ABCDEF GHIJ KLMN"................
From the above I am trying to extract the string which is between the double quotes which comes right after the username field
where user_abc is a field value of username field.
Unfortunately, there is command to "extract the quoted string that follows the username field" so we have to do it manually. If there's only one quoted string in the event then this should do it.
| rex "\\\"(?<fieldName>[^\\\"]+)"
If there are multiple quoted strings then we'll have to narrow down the one we want. This regex looks for quotes after a word that follows a number.
| rex "\d+\s\S+\s\\\"(?<fieldName>[^\\\"]+)"
Unfortunately, there is command to "extract the quoted string that follows the username field" so we have to do it manually. If there's only one quoted string in the event then this should do it.
| rex "\\\"(?<fieldName>[^\\\"]+)"
If there are multiple quoted strings then we'll have to narrow down the one we want. This regex looks for quotes after a word that follows a number.
| rex "\d+\s\S+\s\\\"(?<fieldName>[^\\\"]+)"
Thanks for the solution. My event is multiple quoted string Also, the username field contains the value in the below similar format.
A123456
For the scenario, does the second Regex works?
The second regex should work, but if you want to be more specific, try this
| rex "\d+\s\[A-Z]\d{6}+\s\\\"(?<fieldName>[^\\\"]+)"
If this format is set in stone, specifically spacing, use this format to extract the user and the field after it.
^(?:[^\s]+\s+){6}(?<user>[^\s]+)\s\"(?<alphabet>[^\"]+)\"
Splunk Regex Documentation
https://docs.splunk.com/Documentation/Splunk/8.2.1/Knowledge/AboutSplunkregularexpressions
Tutorial On Regular Expression
https://www.regular-expressions.info/
Regular Expression Playground to test your regexes
| rex "\s\"(?<field>[^\"]+)"