Splunk Search

How do you extract a field between 2 fixed words?

clarkedayne
New Member

Need help extracting\creating a new field between 2 fixed words.

Example:

!CASH OUT         $100.00!                        !TOTAL

!CASH OUT and !TOTAL are fixed, but the value amount in between ($100.00) changes. I would like to create a field, so I can field the events by the cash out amount ect.

I have tried the below search, but it doesn't return any results

"!CASH OUT" "!TOTAL" | rex "!CASH OUT (?[^!]+)!TOTAL"

Thank you, any assistance will be much appreciated

Tags (2)
0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval _raw="!CASH OUT         $100.00!                        !TOTAL"
| rex "!CASH\s+OUT\s+\$(?<cash>[\d\.]+)!\s+!TOTAL"
0 Karma

vnravikumar
Champion

Hi

Try this rex

!CASH\sOUT\s(?P<output>.+)\s!TOTAL

OR

!CASH\sOUT\s(?P<output>[^!]+)!\s!TOTAL
0 Karma

clarkedayne
New Member

Edit: I have tried the below search rather
"!CASH OUT" "!TOTAL" | rex "!CASH OUT (?[^!]+)!TOTAL"

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.