find string between two given strings in splunk

suruthyshree · ‎01-04-2011

How i can get the string between two given strings.

Log has entires like

22:09: DT : 2178we352njsdfh48734 : EF and so on.

I want to find fetch the values between "DT :" and ": EF". The "2178we352njsdfh48734" will vary based on the request and the "DT :" and ": EF": will remain same for all the request.

siri1410 · ‎10-27-2017

"search string" | rex field=_raw "DT : (?P[^\s]+) : EF" | dedup txid| table txid

southeringtonp · ‎01-04-2011

Generally, you want to either use rex or create a dedicated field extraction. For more complete information, look here.

Using rex:

In the search string, add the following to your search:

| rex field=xx "^\d+:\d+: DT : (?<txid>.*?) : EF"

For something more permanent, you can use:

transforms.conf:

[mytxid]
REGEX = "^\d+:\d+: DT : (.*?) : EF"
FORMAT = txid::$1

props.conf:

[yoursourcetype]
REPORT-txid = mytxid

find string between two given strings in splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

find string between two given strings in splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future