Solved: How to extract text from raw data using rex?

9jamie · ‎04-26-2022

I'm new to regex and having trouble extracting some text. My raw data is in the following format:

ID=[12839829389-8b7e89opf][2839128391DJ33838PR]

I need to extract the text between the first two brackets,12839829389-8b7e89opf, into a new field.

So far what I have does not work: | rex field=_raw "ID=[(?<id>.*)]"

If anyone could help it would be greatly appreciated.

ITWhisperer · ‎04-26-2022

Square brackets are special characters in regex so need to be escaped with backslashes

| rex field=_raw "ID=\[(?<id>.*)\]"

View solution in original post

ITWhisperer · ‎04-26-2022

Square brackets are special characters in regex so need to be escaped with backslashes

| rex field=_raw "ID=\[(?<id>.*)\]"

9jamie · ‎04-26-2022

this returns everything after ID up until the final closing bracket. so i added the brackets containing the second part of the id as well. final solution:

rex field=_raw "ID=\[(?<id>.*\]\[.*\]"

thanks for the help

How to extract text from raw data using rex?

field extraction

rex

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to extract text from raw data using rex?

field extraction

rex

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!