Re: How do I edit my rex search to extract a strin...

chlily · ‎08-28-2015

Hi,

How do I get "x868686@test.com" between "Account:" and "Source Workstation:" from following text:

Account: x868686@test.com Source Workstation:

I've tried:

eventtype=abcd" | rex field=test "^d+:d+: Account : (?<txid>.*?) : Source Workstation" | fields account

but still doesn't work.

swetasoneji · ‎04-18-2018

message:Receiving exposure from: net.tcp:\/\/URL\/Expsr\/Exp for account(s): 8568
How would extract account number with rex

Tried this but didn't bring any result.

| rex field=_raw "Exp for account(s):\s+(?[^,]+)"

FritzWittwer_ol · ‎04-18-2018

Try

| makeresults
| eval xx ="net.tcp:\/\/URL\/Expsr\/Exp for account(s): 8568"
| rex field=xx "Exp for account(s):\s+(?\d+)"

you have to escape the braces with \ and add a match field name (number)

FritzWittwer_ol · ‎08-28-2015

The following rex places x868686@test.com in txid:

<your search here> | rex field=_raw ".*Account:\s+(?<txid>\S+)\s+Source Workstation:.*"

I assume there is always a space before and after the txid, and never a space in the txid

aholzer · ‎08-28-2015

You seem to have a number of extra colons (:) in your regex that you don't need.

Try the following. Use field=_raw unless there is a field that contains everything from "Account:" to "Source Workstation".

eventtype=abcd | rex field=_raw "Account: (?P<account>[^\s]+) Source Workstation"

That should extract everything that isn't a whitespace (\s) between "Account: " and " Source" into a field called "account".

Hope this helps

How do I edit my rex search to extract a string between two other strings from a sample line of data?