Solved: How to use regex in field extraction?

digital_alchemy · ‎06-11-2014

I can't seem to get my regex to work as a field extraction. below is an example string and the regex I'm trying to use.

Sample string:
ab&q=john+schneider+singer+-actor&oq=john+schneider+singer+-actor&g

Regex:
(?<=ab&q=)\S*(?=&oq)

This is what I've been trying in Splunk:
rex field=url "(?<=ab&q=)\S*(?=&oq)(?)"

Basically I want to extract everything between "ab&q=" and "&oq"

aweitzman · ‎06-11-2014

I think you're looking for something like this:

rex field=url "ab&q=(?<fieldname>\S*)&oq(.*)"

aweitzman · ‎06-11-2014

I think you're looking for something like this:

rex field=url "ab&q=(?<fieldname>\S*)&oq(.*)"

digital_alchemy · ‎06-11-2014

Works great thanks.

How to use regex in field extraction?