Splunk Search

What is the regex needed to extract the field "FileImported" field format?

griffinpair
Path Finder

I have the following Field named FileImported that is formatted the following way:

text_text_NEEDED EXTRACTION_text

An example of FileImported is:

22_ABC_FileID1564_Export

And I want "FileID1564" as a field named "Export" from the existing Fileimported field.

I have attempted Regex myself, but am not as experienced in it to get it working. What would be the regex needed to extract what I need based on the FileImported field format?

0 Karma

mayurr98
Super Champion

hey try this run anywhere search

| makeresults 
| eval FileImported="22_ABC_FileID1564_Export sds_ABCsds_FileID15sdsd64_Export1ww" 
| makemv FileImported 
| mvexpand FileImported 
| rex field=FileImported ".*_(?<Export>\w+)[-_]"

In your environment, you should write

<base_Search>| rex field=FileImported ".*_(?<Export>\w+)[-_]"

let me know if this helps!

richgalloway
SplunkTrust
SplunkTrust

Try this.

... | rex field=FileImported "(?:\w+_){2}(?<Export>[^_]+)_" | ...

BTW, regex101.com is a great site for testing regex extractions.

---
If this reply helps you, Karma would be appreciated.

493669
Super Champion

Hi @griffinpair,
Try this regex:

...|rex field=FileImported "([^_]+_){2}(?<Export>[^_]+)"
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...