Re: What is the regex needed to extract the field ...

griffinpair · ‎02-28-2018

I have the following Field named FileImported that is formatted the following way:

text_text_NEEDED EXTRACTION_text

An example of FileImported is:

22_ABC_FileID1564_Export

And I want "FileID1564" as a field named "Export" from the existing Fileimported field.

I have attempted Regex myself, but am not as experienced in it to get it working. What would be the regex needed to extract what I need based on the FileImported field format?

mayurr98 · ‎02-28-2018

hey try this run anywhere search

| makeresults 
| eval FileImported="22_ABC_FileID1564_Export sds_ABCsds_FileID15sdsd64_Export1ww" 
| makemv FileImported 
| mvexpand FileImported 
| rex field=FileImported ".*_(?<Export>\w+)[-_]"

In your environment, you should write

<base_Search>| rex field=FileImported ".*_(?<Export>\w+)[-_]"

let me know if this helps!

richgalloway · ‎02-28-2018

Try this.

... | rex field=FileImported "(?:\w+_){2}(?<Export>[^_]+)_" | ...

BTW, regex101.com is a great site for testing regex extractions.

---
If this reply helps you, Karma would be appreciated.

493669 · ‎02-28-2018

Hi @griffinpair,
Try this regex:

...|rex field=FileImported "([^_]+_){2}(?<Export>[^_]+)"

What is the regex needed to extract the field "FileImported" field format?

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?

What is the regex needed to extract the field "FileImported" field format?

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!