Try this:

 ... | rex "ESS1 - \[(?<thatfield>[^\]]+)" 

this will create a field called thatfield with the value 2813 based on your provided example.

cheers, MuS

Thanks MuS I think this would work though I've just realised when raw data I pasted in didn't include the whites spaces...

ESCO - [57]
ESDC - [82]
ESEM - [170]
ESS1{14whitespaces}-{3whitespaces} [2813]
ESVI - [706]
F421 - [30]

I've got it to work with the below

... | rex "ESS1\s\s\s\s\s\s\s\s\s\s\s\s\s\s.\s\s\s[(?[^]]+)"

I've got it to work with the below

... |rex "ESS1\s\s\s\s\s\s\s\s\s\s\s\s\s\s.\s\s\s[(?[^]]+)"

Hi @woodcock, thank you for taking the time to reply to my post, this works great.

Many thanks and kind regards

Chris

Hi @MuS, thank you for coming back to me with this I really appreciate it. The format of the nino field was "nino\":\"AB123456B\". But not to worry I've been able to extrcat this using the solution by @woodcock.

Once again sincere thanks for your help.

Many thanks and kind regards

Chris

Hi @Mus, thank you for coming back to me with this.

Unfortunately, due to it's sensitive data, I can't send you the raw data, but perhaps if you could explain, what you need I may be able to put something together.

Many thanks and kind regards

Chris

Hi there, it is currently not 100% clear if the event looks like this nino":"AB123456B" or like this nino\":\"AB123456B\" can you please confirm if it is either the first or the later one?

Hi, every one,
how can we use rex field=_raw in an input field ? I couldn't make it correctley

I suggest to open a new question and provide more details

Hi, that's great thank you very much, but could you tell me please how I search for the 'nino' field.

Could you also tell me please, is it possible to search for the field 'nino' specifically because my raw data contains a number of fields with the same "fieldname":"fieldvalue" format.

Many thanks and kind regards

Chris

Just add any search or stats command in the next search pipe like this:

your base reach here | rex field=_raw ":\\\"(?<nino>\w+)\\\"" | table nino

or

your base reach here | rex field=_raw ":\\\"(?<nino>\w+)\\\"" | search nino=AB*

Hi @MuS, that's great, thank you.

Kind Regards

Chris

You're welcome 🙂

Hi, @MuS, I'm really very sorry to trouble you with this again.

I've used the 'rex' expression you kindly provided, but unfortunately it doesn't extract the correct data into the table. I've also tried anothe field called 'middleNames' which has the same format as the NINO, so the expression is rex field=_raw ":"(?w+)"" | table middleNames, but it is still not extracting the field value data from the raw text.

Any ideas?

Many thanks and kind regards

Chris

please provide some raw event for both fields, use the code mark up CTRL-K to encode any special characters ...

Hi @MuS, thank you very much for taking the time to reply to my post.

Unfortunately I can't get this to work, because it returns the error message: Error in 'rex' command: Encountered the following error while compiling the regex ':(?w+)': Regex: unmatched parentheses.

Could you also tell me please, is it possible to search for the field 'nino' specifically because my raw data contains a number of fields with the same "fieldname":"fieldvalue" format.

Many thanks and kind regards

Chris