Solved: How do I write the regex to extract information wi...

BC88 · ‎11-18-2015

Hey there,

I have been banging my head over this issue. Basically, I am searching a sourcetype for, let's call it, "X".

This search returns something along the lines of:

"Useless data here (Important Data)"

I am trying to display all of the information inside the parenthesis. I was looking at rex and regex and couldn't figure out how to word the syntax.

Any help would be appreciated!

MuS · ‎11-18-2015

Hi BC88,

based on your provided example run this regex:

 your base search here sourcetype=X |rex "\((?<myData>[^\)]+)\)" | ...

This will create a new field called myData which you can rename if needed 😉

Hope this helps ...

cheers, MuS

MuS · ‎11-18-2015

Hi BC88,

based on your provided example run this regex:

 your base search here sourcetype=X |rex "\((?<myData>[^\)]+)\)" | ...

This will create a new field called myData which you can rename if needed 😉

Hope this helps ...

cheers, MuS

sjbriggs · ‎08-27-2019

Struggled with this for two days until I found your answer. Thanks!

How do I write the regex to extract information within parenthesis?