Splunk Search

Regular expression in Splunk for extracting fields

Gowtham0809
New Member

I have some uneven stings and I need to extract a field from all the strings. Unique thing is the required field lies next to a common word in all the strings.

below are some some example for the strings

UTC Tue Jan 31 06:42:59 2017 [AE-214OX - 11.4.65.91] Anmelden bei Account Administrator
UTC Tue Jan 31 09:10:07 2017 [CB-Z0OaB - 11.4.65.91] Login for account abc2ab (abc2ab)
UTC Tue Jan 31 15:04:29 2017 [AE-214OX - 11.4.65.91] Anmeldeversuch für Account def3abc fehlgeschlagen
UTC Mon Feb 06 15:38:41 2017 [AE-214OX - 11.4.65.91] Failed login for account testuser

The above are few example strings. from which I need to extract the very next word, which lies next to account from all the all the strings.
Note: the word account lies in both upper and lower case.

Can some one help me with a regular expression to extract the field next to word account.

Thank you.

0 Karma
1 Solution

rjthibod
Champion

Try this to extract the value into a field called "accountid". This assumes the value you are trying to extract contains no spaces. You will need to clarify the expected value if it can contain spaces.

<YOUR BASE SEARCH>
| rex field=_raw "[A|a]ccount\s+(?<accountid>[^\s]+)"

View solution in original post

0 Karma

rjthibod
Champion

Try this to extract the value into a field called "accountid". This assumes the value you are trying to extract contains no spaces. You will need to clarify the expected value if it can contain spaces.

<YOUR BASE SEARCH>
| rex field=_raw "[A|a]ccount\s+(?<accountid>[^\s]+)"
0 Karma

Gowtham0809
New Member

Thank you, Its works as expected

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...