Solved: Re: How do I extract a field value after a specifi...

HeinzWaescher · ‎02-24-2019

Hi,

I would like to extract a new field from unstructured data. FX does not help for 100%, so I would like to use regex instead.

Is it possible to extract a string that appears after a specific word? For example, I always want to extract the string that appears after the word testlog:

Sample events (the value for my new fieldA should always be the string after testlog):

1551079647 the testlog 13000 entered the system

1551079652 this is a testlog for fieldextraction

Result of the field extraction:

fieldA=13000
fieldA=for

Thanks in advance

Heinz

FrankVl · ‎02-25-2019

Try this regex: testlog\s+(?<fieldA>\w+)

https://regex101.com/r/FPWM6h/1

Change that \w+ to whatever you need to capture the value (e.g. if it can also contain non-word characters like - or . or so).

View solution in original post

FrankVl · ‎02-25-2019

Try this regex: testlog\s+(?<fieldA>\w+)

https://regex101.com/r/FPWM6h/1

Change that \w+ to whatever you need to capture the value (e.g. if it can also contain non-word characters like - or . or so).

HeinzWaescher · ‎02-25-2019

That points me to the right direction, thanks 🙂

How do I extract a field value after a specific string in unstructured data?

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Splunk ITSI & Correlated Network Visibility

Community Content Calendar, August edition

Are you a member of the Splunk Community?

How do I extract a field value after a specific string in unstructured data?

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Splunk ITSI & Correlated Network Visibility

Community Content Calendar, August edition