Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I extract a field value after a specific string in unstructured data?

HeinzWaescher
Motivator
‎02-24-2019 11:34 PM

Hi,

I would like to extract a new field from unstructured data. FX does not help for 100%, so I would like to use regex instead.

Is it possible to extract a string that appears after a specific word? For example, I always want to extract the string that appears after the word testlog:

Sample events (the value for my new fieldA should always be the string after testlog):

1551079647 the testlog 13000 entered the system

1551079652 this is a testlog for fieldextraction

Result of the field extraction:

fieldA=13000
fieldA=for

Thanks in advance

Heinz

Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎02-25-2019 12:25 AM

Try this regex: testlog\s+(?<fieldA>\w+)

https://regex101.com/r/FPWM6h/1

Change that \w+ to whatever you need to capture the value (e.g. if it can also contain non-word characters like - or . or so).

View solution in original post

Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎02-25-2019 12:25 AM

Try this regex: testlog\s+(?<fieldA>\w+)

https://regex101.com/r/FPWM6h/1

Change that \w+ to whatever you need to capture the value (e.g. if it can also contain non-word characters like - or . or so).

Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎02-25-2019 12:46 AM

That points me to the right direction, thanks 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...