regex

ss394546910 · ‎10-07-2022

Splunk logs looks like below:

userid=234user|rwe23|dwdwd --

userid=id123|34lod|2323 textHow can I get value between "=" and first "|"

I want to get table of value between "=" and first "|", like "234user" and "id123"

I tried:

index=indexhere "userid=" |regex "(?<==)(?<info>.+?)(?=\|)"
| dedup info
| table info

this one works fine in regex101, but shows 0 result in Splunk.
Could anyone please help? Any help would be appreciated. Thanks!

yuanliu · ‎10-07-2022

Despite closeness in name, regex and rex are two very different commands. From regex:

regex
Description
Removes results that match or do not match the specified regular expression.

I think you are looking for rex.

index=indexhere "userid="
|rex "=(?<info>[^|]+)"
| dedup info
| table info

View solution in original post

yuanliu · ‎10-07-2022

Despite closeness in name, regex and rex are two very different commands. From regex:

regex
Description
Removes results that match or do not match the specified regular expression.

I think you are looking for rex.

index=indexhere "userid="
|rex "=(?<info>[^|]+)"
| dedup info
| table info

ss394546910 · ‎10-07-2022

Yes..seems like I am looking for rex not regex. Thanks for helping.

richgalloway · ‎10-07-2022

The regex command filters events - it does not extract fields. To extract fields, use the rex command. Also, avoid lookbehind in regexes - they're not necessary and take longer to process.

index=indexhere "userid=" 
| rex "userid=(?<info>[^\|]+?)"
| dedup info
| table info

---
If this reply helps you, Karma would be appreciated.

How do I use regex to select a string between two symbols?

lookup

regex

rex

regex

Description

regex

Description

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies