Solved: extract field between two single quotes please hel...

r999 · ‎09-01-2012

Sorry i am a noob to regex and splunk regex especially.

Regex to extarct all that is between the two single quotes. there will never be a single quote in the name.

EG extract the name
Bloggs, Joe:IT

two Message field examples:

The user 'Bloggs, Joe:IT' logged in

Mailbox of 'Smith, John:HR' was opened

How can i:
A) do this using REX
B) do this in props.conf

REX something like

  index =data | rex field=Message "\'(?P<name>)\'"

and from a REx how do you change it to extarct in props.conf?

Thanks in advance

_d_ · ‎09-01-2012

Using rex:

index=data | rex field=Message "\'(?P<name>[^']+)\'"

Using props.conf:

[my_sourcetype] EXTRACT-abc = \'(?P<name>[^']+)\'

Hope this helps,

d.

_d_ · ‎09-01-2012

Using rex:

index=data | rex field=Message "\'(?P<name>[^']+)\'"

Using props.conf:

[my_sourcetype] EXTRACT-abc = \'(?P<name>[^']+)\'

Hope this helps,

d.

extract field between two single quotes please help