How do you extract a field between 2 fixed words?

clarkedayne · ‎03-28-2019

Need help extracting\creating a new field between 2 fixed words.

Example:

!CASH OUT         $100.00!                        !TOTAL

!CASH OUT and !TOTAL are fixed, but the value amount in between ($100.00) changes. I would like to create a field, so I can field the events by the cash out amount ect.

I have tried the below search, but it doesn't return any results

"!CASH OUT" "!TOTAL" | rex "!CASH OUT (?[^!]+)!TOTAL"

Thank you, any assistance will be much appreciated

woodcock · ‎03-31-2019

Like this:

| makeresults 
| eval _raw="!CASH OUT         $100.00!                        !TOTAL"
| rex "!CASH\s+OUT\s+\$(?<cash>[\d\.]+)!\s+!TOTAL"

vnravikumar · ‎03-29-2019

Hi

Try this rex

!CASH\sOUT\s(?P<output>.+)\s!TOTAL

OR

!CASH\sOUT\s(?P<output>[^!]+)!\s!TOTAL

clarkedayne · ‎03-28-2019

Edit: I have tried the below search rather
"!CASH OUT" "!TOTAL" | rex "!CASH OUT (?[^!]+)!TOTAL"

How do you extract a field between 2 fixed words?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

How do you extract a field between 2 fixed words?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey