i can't extract the exact text using rex command . e.g
User: This is my user Name\n This is just some random texti want to extract a new filed which values is "This is my user Name"
You need 4 slashes in the regex for a single match
View solution in original post
|rex "User:\"(?<username>[^\"]*)"
will extract from the _raw field starting from the character following the first quote after User: up to the first quote.
oh my bad , "" will not exist everytime , the thing for sure and will start from ':' and end with '\n' . I try using this | rex field=msg "User:\s(?<user>.+)"but can't get rid of \n
Is the \n 2 characters or a line feed?
If it's a literal \n then
| rex "User:\s+?(?<username>.*)\\\\n"
If it's a line feed then
| rex "User:\s+?(?<username>.*)\n"
i don't know what is wrong i can't get it work | rex field=msg "User:\s(?<user>.*)\\\\n" this is my query and it doesn't stop at \nuser\n and this text also
in my log it's literally "\n" not next line when i extract something it looks like thisuser1\n but i want only user1 , not \n
