Solved: Field Extraction

scout29 · ‎11-22-2024

Need help to extract a field that comes after a certain word in a event.

I am looking to extract a field called "sn_grp" with the value of "M2 Infra Ops". So for every event that has sn_grp: i would like to extract the string that follows of "M2 Infra Ops". This string value will be the same name for every event.

Below is an example data set i am using to write the regex to

\"sn_grp:M2 Infra Ops\"},{\"context\":\"CONTEXTLESS\",\"key\":\"Correspondence Routing Engine\

richgalloway · ‎11-22-2024

This should get you started.

| rex "sn_grp:(?<sn_grp>[^\\]+)"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-22-2024

This should get you started.

| rex "sn_grp:(?<sn_grp>[^\\]+)"

---
If this reply helps you, Karma would be appreciated.

scout29 · ‎11-22-2024

That seems to work however it is capturing the "\" in the string at the end. I want the value to stop after Ops in the string and not include the "\"

richgalloway · ‎11-22-2024

Try my revised answer.

---
If this reply helps you, Karma would be appreciated.

Field Extraction

field extraction

regex

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation

Field Extraction

field extraction

regex

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!