Splunk Search

How do I edit my rex search to extract a string between two other strings from a sample line of data?

New Member


How do I get "x868686@test.com" between "Account:" and "Source Workstation:" from following text:

Account: x868686@test.com Source Workstation:

I've tried:

eventtype=abcd" | rex field=test "^d+:d+: Account : (?<txid>.*?) : Source Workstation" | fields account

but still doesn't work.

0 Karma

New Member

message:Receiving exposure from: net.tcp:\/\/URL\/Expsr\/Exp for account(s): 8568
How would extract account number with rex

Tried this but didn't bring any result.

| rex field=_raw "Exp for account(s):\s+(?[^,]+)"

0 Karma



| makeresults
| eval xx ="net.tcp:\/\/URL\/Expsr\/Exp for account(s): 8568"
| rex field=xx "Exp for account(s):\s+(?\d+)"

you have to escape the braces with \ and add a match field name (number)

0 Karma


The following rex places x868686@test.com in txid:

<your search here> | rex field=_raw ".*Account:\s+(?<txid>\S+)\s+Source Workstation:.*"

I assume there is always a space before and after the txid, and never a space in the txid

0 Karma


You seem to have a number of extra colons (:) in your regex that you don't need.

Try the following. Use field=_raw unless there is a field that contains everything from "Account:" to "Source Workstation".

eventtype=abcd | rex field=_raw "Account: (?P<account>[^\s]+) Source Workstation" 

That should extract everything that isn't a whitespace (\s) between "Account: " and " Source" into a field called "account".

Hope this helps

Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...