Solved: How do you write a regular expression to extract a... - Splunk Community

Splunk Search

Hi,

Can anyone teach me how to write a regular expression to extract the field on the following raw event?

sendmail[11111]: w9234FKJa23233: to=xxxxxx

I would like to extract the "w9234FKJa23233" and create a new field that starts with "w" and then 13 char/digits.

Thanks a lot

1 Solution

Solution

Hi @kcchu01,

Please try below regex, this will extract everything between : and :

<yourBaseSearch> | rex field=_raw "(?:\s(?<extracted_field>[^\:]+)[\:])"

If you want results which only starts with w then try below regex

<yourBaseSearch> | rex field=_raw "(?:\s(?<extracted_field>w[^\:]+)[\:])"

View solution in original post

Solution

Hi @kcchu01,

Please try below regex, this will extract everything between : and :

<yourBaseSearch> | rex field=_raw "(?:\s(?<extracted_field>[^\:]+)[\:])"

If you want results which only starts with w then try below regex

<yourBaseSearch> | rex field=_raw "(?:\s(?<extracted_field>w[^\:]+)[\:])"

Your regex is not 100% correct. It matches any text from a space up to :
It will also give data from this line with only one :

sendmail[11111] w9234FKJa23233: to=xxxxxx

So a more correct regex would be:

(?::\s(?<extracted_field>[^\:]+)[\:])

It will extract all data between two :, except the first space.

Also you do not need to escape the : or put it in brackets at the end, so:

(?::\s(?<extracted_field>[^:]+):)

Thanks a lot, the field is extracted perfectly.

Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars Sometimes, you just need to see the code. For those looking for a ...