Splunk Search
Highlighted

Can you help me make a regular expression to extract a field?

Explorer

Hello,

I have these events where I want to extract a filename. Right now, none of the fields capture the Filename("this is what i want to capture") as a field. Using the regex or delimiter generators from Splunk to produce a new field are not giving me good results, so I believe it is best to write one.

Basically, what i want is the information inside the quotes of FileName("") for each event. I indicate it with a red line.

alt text

0 Karma
Highlighted

Re: Can you help me make a regular expression to extract a field?

SplunkTrust
SplunkTrust

Try this:

YOUR SEARCH|rex "Filename\(\"(?<my_filename>[^\"]+)"

This should create a new file called my_filename

View solution in original post

Highlighted

Re: Can you help me make a regular expression to extract a field?

Explorer

Thank you! works

0 Karma