Solved: Re: filter text using rex

nwayoonyanmin · ‎05-11-2023

i can't extract the exact text using rex command .
e.g

User: This is my user Name\n This is just some random text

i want to extract a new filed which values is "This is my user Name"

bowesmana · ‎05-11-2023

You need 4 slashes in the regex for a single match

View solution in original post

bowesmana · ‎05-11-2023

|rex "User:\"(?<username>[^\"]*)"

will extract from the _raw field starting from the character following the first quote after User: up to the first quote.

nwayoonyanmin · ‎05-11-2023

oh my bad , "" will not exist everytime , the thing for sure and
will start from ':' and end with '\n' . I try using this | rex field=msg "User:\s(?<user>.+)"
but can't get rid of \n

bowesmana · ‎05-11-2023

Is the \n 2 characters or a line feed?

bowesmana · ‎05-11-2023

If it's a literal \n then

| rex "User:\s+?(?<username>.*)\\\\n"

If it's a line feed then

| rex "User:\s+?(?<username>.*)\n"

nwayoonyanmin · ‎05-12-2023

i don't know what is wrong i can't get it work
| rex field=msg "User:\s(?<user>.*)\\\\n"
this is my query and it doesn't stop at \n

user\n and this text also

nwayoonyanmin · ‎05-11-2023

in my log it's literally "\n" not next line when i extract something it looks like this

user1\n

but i want only user1 , not \n

bowesmana · ‎05-11-2023

You need 4 slashes in the regex for a single match

filter text using rex

field extraction

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation