Splunk Search

How to use regex in field extraction?

Path Finder

I can't seem to get my regex to work as a field extraction. below is an example string and the regex I'm trying to use.

Sample string:
ab&q=john+schneider+singer+-actor&oq=john+schneider+singer+-actor&g

Regex:
(?<=ab&q=)\S*(?=&oq)

This is what I've been trying in Splunk:
rex field=url "(?<=ab&q=)\S*(?=&oq)(?)"

Basically I want to extract everything between "ab&q=" and "&oq"

Tags (2)
1 Solution

Motivator

I think you're looking for something like this:

rex field=url "ab&q=(?<fieldname>\S*)&oq(.*)"

View solution in original post

Motivator

I think you're looking for something like this:

rex field=url "ab&q=(?<fieldname>\S*)&oq(.*)"

View solution in original post

Path Finder

Works great thanks.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!