Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Regular Expression

AHEARNJ
Explorer
‎08-07-2017 09:32 AM

I am trying to extract a filed using. | rex field=_raw
I used regexr to create a regular expression with an exclude group and a capture group.
I have this working, but can't seem to format this for Splunk.
Any good tips for Regex and Splunk?
Regex I am using: 

 (?:<entry key="applications" value=")([a-zA-Z0-9 ]+)(?:"\/>)

String extracting the value from: 

<entry key="applications" value="AD Users"/>

Any help you can provide is greatly appreciated.

Thanks,

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2017 09:54 AM

Your regex string doesn't contain field extractions so the rex command is not doing anything for you. Another factor is the rex command requires quotation marks be escaped. See if this helps you.

... | rex "<entry key=\"applications\" value=\"(?<appValue>[a-zA-Z0-9 ]+)\"\/>" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...