Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you write a regular expression to extract a field between two colons with a particular pattern?

kcchu01
Explorer
‎10-26-2018 03:05 AM

Hi,

Can anyone teach me how to write a regular expression to extract the field on the following raw event?

sendmail[11111]: w9234FKJa23233: to=xxxxxx

I would like to extract the "w9234FKJa23233" and create a new field that starts with "w" and then 13 char/digits.

Thanks a lot

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎10-26-2018 03:27 AM

Hi @kcchu01,

Please try below regex, this will extract everything between : and :

<yourBaseSearch> | rex field=_raw "(?:\s(?<extracted_field>[^\:]+)[\:])"

If you want results which only starts with w then try below regex

<yourBaseSearch> | rex field=_raw "(?:\s(?<extracted_field>w[^\:]+)[\:])"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎10-26-2018 03:27 AM

Hi @kcchu01,

Please try below regex, this will extract everything between : and :

<yourBaseSearch> | rex field=_raw "(?:\s(?<extracted_field>[^\:]+)[\:])"

If you want results which only starts with w then try below regex

<yourBaseSearch> | rex field=_raw "(?:\s(?<extracted_field>w[^\:]+)[\:])"
0 Karma
Reply
Solved! Jump to solution

lakromani
Builder
‎10-29-2018 03:11 AM

Your regex is not 100% correct. It matches any text from a space up to :
It will also give data from this line with only one :

sendmail[11111] w9234FKJa23233: to=xxxxxx

So a more correct regex would be: 

(?::\s(?<extracted_field>[^\:]+)[\:])

It will extract all data between two :, except the first space.

Also you do not need to escape the : or put it in brackets at the end, so:

(?::\s(?<extracted_field>[^:]+):)
0 Karma
Reply
Solved! Jump to solution

kcchu01
Explorer
‎10-29-2018 02:39 AM

Thanks a lot, the field is extracted perfectly.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...