Solved: How do you write a regular expression to extract a... - Splunk Community

Splunk Search

Hi,

Can anyone teach me how to write a regular expression to extract the field on the following raw event?

sendmail[11111]: w9234FKJa23233: to=xxxxxx

I would like to extract the "w9234FKJa23233" and create a new field that starts with "w" and then 13 char/digits.

Thanks a lot

1 Solution

Solution

Hi @kcchu01,

Please try below regex, this will extract everything between : and :

<yourBaseSearch> | rex field=_raw "(?:\s(?<extracted_field>[^\:]+)[\:])"

If you want results which only starts with w then try below regex

<yourBaseSearch> | rex field=_raw "(?:\s(?<extracted_field>w[^\:]+)[\:])"

View solution in original post

Solution

Hi @kcchu01,

Please try below regex, this will extract everything between : and :

<yourBaseSearch> | rex field=_raw "(?:\s(?<extracted_field>[^\:]+)[\:])"

If you want results which only starts with w then try below regex

<yourBaseSearch> | rex field=_raw "(?:\s(?<extracted_field>w[^\:]+)[\:])"

Your regex is not 100% correct. It matches any text from a space up to :
It will also give data from this line with only one :

sendmail[11111] w9234FKJa23233: to=xxxxxx

So a more correct regex would be:

(?::\s(?<extracted_field>[^\:]+)[\:])

It will extract all data between two :, except the first space.

Also you do not need to escape the : or put it in brackets at the end, so:

(?::\s(?<extracted_field>[^:]+):)

Thanks a lot, the field is extracted perfectly.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open! conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...