Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a field using rex?

iamtrying
New Member
‎05-24-2019 10:46 AM

This is the string in the log

I 2019-05-23 18:22:38.984Z 7881 216 XObk7A6CU-I62gr3UIKfXQAAAAs 1@43465473@A WPB-Log: file=/users/aa/test.cls method=fetchdata ID=Qwe123

I want to extract a field marked as bold to build a table.
Please note that all strings are variable so the rex should be generic.

Thanks for the help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dmarling
Builder
‎05-24-2019 11:26 AM

Assuming that data is always in the same place this should grab it:

| rex "\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{3}Z \d+ \d+ (?<fieldName>[^\s]+)"

You'll need to choose the field name you want and replace fieldName with whatever you want to label that field. Here's a link to regex 101 that shows it working on the single example you provided: https://regex101.com/r/TdkzcA/1

If this comment/answer was helpful, please up vote it. Thank you.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-24-2019 11:35 AM

Give this a try (assuming the value you want to extract is 6th element from the start)

your base search
| rex "^(\S+\s+){5}(?<YourField>\S+)"
0 Karma
Reply
Solved! Jump to solution

iamtrying
New Member
‎05-24-2019 04:18 PM

It worked too

0 Karma
Reply
Solved! Jump to solution
Solution

dmarling
Builder
‎05-24-2019 11:26 AM

Assuming that data is always in the same place this should grab it:

| rex "\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{3}Z \d+ \d+ (?<fieldName>[^\s]+)"

You'll need to choose the field name you want and replace fieldName with whatever you want to label that field. Here's a link to regex 101 that shows it working on the single example you provided: https://regex101.com/r/TdkzcA/1

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...