Solved: How to write regex to extract value in between two...

syazwani · ‎02-15-2023

Hi, I need help to extract a value from field named "message".

Field "message" value is as below:

The process C:\Windows\system32\winlogon.exe (PRD01) has initiated the power off of computer PC01 on behalf of user ADMIN JABATAN for the following reason: No title for this reason could be found

The process C:\Windows\system32\shutdown.exe (PRD01) has initiated the restart of computer PC01 on behalf of user ADMIN\SUPPORT for the following reason: No title for this reason could be found

The process C:\Windows\system32\shutdown.exe (PRD01) has initiated the restart of computer PC01 on behalf of user admin for the following reason: No title for this reason could be found

The value i want to extract is:

newField

ADMIN JABATAN

ADMIN\SUPPORT

admin

Please assist. Thanks.

batabay · ‎02-15-2023

Hi,

your search

| rex field=message "of\suser\s(?<new_user>.+?)\sfor\sthe"

this command extract new_user field.

View solution in original post

syazwani · ‎02-19-2023

Hi @batabay, thank you for the response. It works!

batabay · ‎02-15-2023

Hi,

your search

| rex field=message "of\suser\s(?<new_user>.+?)\sfor\sthe"

this command extract new_user field.

How to write regex to extract value in between two phrases?

field extraction

regex

rex

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?