Solved: How to extract text from raw data using rex?

9jamie · ‎04-26-2022

I'm new to regex and having trouble extracting some text. My raw data is in the following format:

ID=[12839829389-8b7e89opf][2839128391DJ33838PR]

I need to extract the text between the first two brackets,12839829389-8b7e89opf, into a new field.

So far what I have does not work: | rex field=_raw "ID=[(?<id>.*)]"

If anyone could help it would be greatly appreciated.

ITWhisperer · ‎04-26-2022

Square brackets are special characters in regex so need to be escaped with backslashes

| rex field=_raw "ID=\[(?<id>.*)\]"

View solution in original post

ITWhisperer · ‎04-26-2022

Square brackets are special characters in regex so need to be escaped with backslashes

| rex field=_raw "ID=\[(?<id>.*)\]"

9jamie · ‎04-26-2022

this returns everything after ID up until the final closing bracket. so i added the brackets containing the second part of the id as well. final solution:

rex field=_raw "ID=\[(?<id>.*\]\[.*\]"

thanks for the help

How to extract text from raw data using rex?

field extraction

rex

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

How to extract text from raw data using rex?

field extraction

rex

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25