Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

How do I extract a field value after a specific string in unstructured data?

HeinzWaescher
Motivator
โ€Ž02-24-2019 11:34 PM

Hi,

I would like to extract a new field from unstructured data. FX does not help for 100%, so I would like to use regex instead.

Is it possible to extract a string that appears after a specific word? For example, I always want to extract the string that appears after the word testlog:

Sample events (the value for my new fieldA should always be the string after testlog):

1551079647 the testlog 13000 entered the system

1551079652 this is a testlog for fieldextraction

Result of the field extraction:

fieldA=13000
fieldA=for

Thanks in advance

Heinz

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
โ€Ž02-25-2019 12:25 AM

Try this regex: testlog\s+(?<fieldA>\w+)

https://regex101.com/r/FPWM6h/1

Change that \w+ to whatever you need to capture the value (e.g. if it can also contain non-word characters like - or . or so).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
โ€Ž02-25-2019 12:25 AM

Try this regex: testlog\s+(?<fieldA>\w+)

https://regex101.com/r/FPWM6h/1

Change that \w+ to whatever you need to capture the value (e.g. if it can also contain non-word characters like - or . or so).

View solution in original post

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
โ€Ž02-25-2019 12:46 AM

That points me to the right direction, thanks ๐Ÿ™‚

0 Karma
Reply