Solved: How to create a regex to extract field values?

jacqu3sy · ‎07-20-2018

Hi,

I need a regex to extract the value 'Fred' in quotes after the User declaration below;

,"User:"Fred",

So any value between the quotes after the : and up to the ,

I don't really want the quotes returned in the results. Struggling as I'm a regex wuss!

Thanks in advance for any help!

thambisetty · ‎07-20-2018

Hi,

Try something like below,

| your search | rex field=_raw "User:\"(?<user>[^\"]+)"

example with your data:

| makeresults | eval _raw=",\"User:\"Fred\"," 
| rex field=_raw "User:\"(?<user>[^\"]+)"

Happy Splunking...

————————————
If this helps, give a like below.

thambisetty · ‎07-20-2018

Hi,

Try something like below,

| your search | rex field=_raw "User:\"(?<user>[^\"]+)"

example with your data:

| makeresults | eval _raw=",\"User:\"Fred\"," 
| rex field=_raw "User:\"(?<user>[^\"]+)"

Happy Splunking...

————————————
If this helps, give a like below.

jacqu3sy · ‎07-20-2018

Nearly worked, I needed another set of quotes after User i.e.

"User":\"(?[^\"]+)"

Works now. Thanks!

jacqu3sy · ‎07-20-2018

But thats my fault as I left those off in my example!! My bad. Thanks for your help.

HiroshiSatoh · ‎07-20-2018

Try this!

| makeresults |eval _raw=",\"User:\"Fred\","|  rex field=_raw "User:\"(?P<User>.*)\""

How to create a regex to extract field values?