Solved: How do I extract a field value after a specific st...

HeinzWaescher · ‎02-24-2019

Hi,

I would like to extract a new field from unstructured data. FX does not help for 100%, so I would like to use regex instead.

Is it possible to extract a string that appears after a specific word? For example, I always want to extract the string that appears after the word testlog:

Sample events (the value for my new fieldA should always be the string after testlog):

1551079647 the testlog 13000 entered the system

1551079652 this is a testlog for fieldextraction

Result of the field extraction:

fieldA=13000
fieldA=for

Thanks in advance

Heinz

FrankVl · ‎02-25-2019

Try this regex: testlog\s+(?<fieldA>\w+)

https://regex101.com/r/FPWM6h/1

Change that \w+ to whatever you need to capture the value (e.g. if it can also contain non-word characters like - or . or so).

View solution in original post

FrankVl · ‎02-25-2019

Try this regex: testlog\s+(?<fieldA>\w+)

https://regex101.com/r/FPWM6h/1

Change that \w+ to whatever you need to capture the value (e.g. if it can also contain non-word characters like - or . or so).

HeinzWaescher · ‎02-25-2019

That points me to the right direction, thanks 🙂

How do I extract a field value after a specific string in unstructured data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation