Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- rex extraction
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a212830
Champion
01-09-2014
07:51 AM
Hi,
I'm trying to extract a field via rex for a search and having problems. Hoping someone could help me...
Here's some sample data - I want to get the "user" field, which is the "a" plus the 6 digits. I had rex "(?i)/.*?/(?P<FIELDNAME>[a-f0-9]+)(?=@)", but that didn't work.
2014-01-09T10:35:27.671644-05:00 hosta Juniper: 2014-01-09 10:35:27 - ive - [1.2.3.4] a123456(Mobile Web Cert)[Mobile] - Network Connect: Session started for user with IP 67.68.1.2, hostname a123456s-iPad
2014-01-09T10:34:40.618589-05:00 hosta Juniper: 2014-01-09 10:34:40 - ive - [7.8.9.0] a987654 JOE SCHMOE(Web Cert)[Full Access] - Network Connect: Session started for user with IP 1.2.3.4, hostname BLAH
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
01-09-2014
07:57 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
arihant16cse
Path Finder
02-06-2019
10:16 PM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lukejadamec
Super Champion
01-09-2014
08:06 AM
Try something like this:
search |rex ".*(?P<userID>[a]\d{6})"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
01-09-2014
07:57 AM
I would suggest;
... | rex "\]\s(?<user>a\d{6})"
/k
Get Updates on the Splunk Community!
Congratulations to the 2025-2026 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion
This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...
Your Guide to Splunk Digital Experience Monitoring
A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...
