Splunk Search

What is the regex needed to extract the field "FileImported" field format?

Path Finder

I have the following Field named FileImported that is formatted the following way:

text_text_NEEDED EXTRACTION_text

An example of FileImported is:


And I want "FileID1564" as a field named "Export" from the existing Fileimported field.

I have attempted Regex myself, but am not as experienced in it to get it working. What would be the regex needed to extract what I need based on the FileImported field format?

0 Karma

Super Champion

hey try this run anywhere search

| makeresults 
| eval FileImported="22_ABC_FileID1564_Export sds_ABCsds_FileID15sdsd64_Export1ww" 
| makemv FileImported 
| mvexpand FileImported 
| rex field=FileImported ".*_(?<Export>\w+)[-_]"

In your environment, you should write

<base_Search>| rex field=FileImported ".*_(?<Export>\w+)[-_]"

let me know if this helps!


Try this.

... | rex field=FileImported "(?:\w+_){2}(?<Export>[^_]+)_" | ...

BTW, regex101.com is a great site for testing regex extractions.

If this reply helps you, Karma would be appreciated.

Super Champion

Hi @griffinpair,
Try this regex:

...|rex field=FileImported "([^_]+_){2}(?<Export>[^_]+)"
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? &#x1f680; We invite you to join our elite squad ...