How do I get "firstname.lastname@example.org" between "Account:" and "Source Workstation:" from following text:
Account: email@example.com Source Workstation:
eventtype=abcd" | rex field=test "^d+:d+: Account : (?<txid>.*?) : Source Workstation" | fields account
but still doesn't work.
You seem to have a number of extra colons (:) in your regex that you don't need.
Try the following. Use field=_raw unless there is a field that contains everything from "Account:" to "Source Workstation".
eventtype=abcd | rex field=_raw "Account: (?P<account>[^\s]+) Source Workstation"
That should extract everything that isn't a whitespace (\s) between "Account: " and " Source" into a field called "account".
Hope this helps
The following rex places firstname.lastname@example.org in txid:
<your search here> | rex field=_raw ".*Account:\s+(?<txid>\S+)\s+Source Workstation:.*"
I assume there is always a space before and after the txid, and never a space in the txid
message:Receiving exposure from: net.tcp:\/\/URL\/Expsr\/Exp for account(s): 8568
How would extract account number with rex
Tried this but didn't bring any result.
| rex field=_raw "Exp for account(s):\s+(?[^,]+)"
| eval xx ="net.tcp:\/\/URL\/Expsr\/Exp for account(s): 8568"
| rex field=xx "Exp for account(s):\s+(?\d+)"
you have to escape the braces with \ and add a match field name (number)