Solved: Regular expression in Splunk for extracting fields

Gowtham0809 · ‎03-13-2017

I have some uneven stings and I need to extract a field from all the strings. Unique thing is the required field lies next to a common word in all the strings.

below are some some example for the strings

UTC Tue Jan 31 06:42:59 2017 [AE-214OX - 11.4.65.91] Anmelden bei Account Administrator
UTC Tue Jan 31 09:10:07 2017 [CB-Z0OaB - 11.4.65.91] Login for account abc2ab (abc2ab)
UTC Tue Jan 31 15:04:29 2017 [AE-214OX - 11.4.65.91] Anmeldeversuch für Account def3abc fehlgeschlagen
UTC Mon Feb 06 15:38:41 2017 [AE-214OX - 11.4.65.91] Failed login for account testuser

The above are few example strings. from which I need to extract the very next word, which lies next to account from all the all the strings.
Note: the word account lies in both upper and lower case.

Can some one help me with a regular expression to extract the field next to word account.

Thank you.

rjthibod · ‎03-14-2017

Try this to extract the value into a field called "accountid". This assumes the value you are trying to extract contains no spaces. You will need to clarify the expected value if it can contain spaces.

<YOUR BASE SEARCH>
| rex field=_raw "[A|a]ccount\s+(?<accountid>[^\s]+)"

View solution in original post

rjthibod · ‎03-14-2017

Try this to extract the value into a field called "accountid". This assumes the value you are trying to extract contains no spaces. You will need to clarify the expected value if it can contain spaces.

<YOUR BASE SEARCH>
| rex field=_raw "[A|a]ccount\s+(?<accountid>[^\s]+)"

Gowtham0809 · ‎03-14-2017

Thank you, Its works as expected

Regular expression in Splunk for extracting fields

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector