Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

How to create a regex to extract field values?

jacqu3sy
Path Finder
โ€Ž07-20-2018 02:44 AM

Hi,

I need a regex to extract the value 'Fred' in quotes after the User declaration below;

,"User:"Fred",

So any value between the quotes after the : and up to the ,

I don't really want the quotes returned in the results. Struggling as I'm a regex wuss!

Thanks in advance for any help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
Champion
โ€Ž07-20-2018 02:59 AM

Hi,

Try something like below,

| your search | rex field=_raw "User:\"(?<user>[^\"]+)"

example with your data:

| makeresults | eval _raw=",\"User:\"Fred\"," 
| rex field=_raw "User:\"(?<user>[^\"]+)"

Happy Splunking...

โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”
If this helps, give a like below.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

thambisetty
Champion
โ€Ž07-20-2018 02:59 AM

Hi,

Try something like below,

| your search | rex field=_raw "User:\"(?<user>[^\"]+)"

example with your data:

| makeresults | eval _raw=",\"User:\"Fred\"," 
| rex field=_raw "User:\"(?<user>[^\"]+)"

Happy Splunking...

โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”
If this helps, give a like below.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jacqu3sy
Path Finder
โ€Ž07-20-2018 03:58 AM

Nearly worked, I needed another set of quotes after User i.e.

"User":\"(?[^\"]+)"

Works now. Thanks!

0 Karma
Reply
Solved! Jump to solution

jacqu3sy
Path Finder
โ€Ž07-20-2018 03:59 AM

But thats my fault as I left those off in my example!! My bad. Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
โ€Ž07-20-2018 02:56 AM

Try this!

| makeresults |eval _raw=",\"User:\"Fred\","|  rex field=_raw "User:\"(?P<User>.*)\""
0 Karma
Reply