Splunk Search

rex field extraction


I am getting familiar with splunk commands, trying to extract hostname from an extracted field called monitor_name. monitor_name field data look like this,

[Linux][FWA Electronic Channel Messaging][l91oma1][Process][SS][/fiwlspoma4/was/INSTANCE1/profiles/base/servers/server1][error]

I would like to extract l91oma1, vlrtp569,vlrtp123 from the above field using rex command. Can someone help me with the regular expression.

Tags (1)
0 Karma


Hi anoopambli

This search code work well

...................................|rex max_match=0 field=_raw "\[Linux\]\[[a-zA-Z\s+]+\]\[(?<monitor_name>[^\]]+)\]"|mvexpand monitor_name|table monitor_name

Look at my result

alt text

0 Karma


use this

rex field=_raw "^(?:[^\[\n]*\[){3}(?P<fieldname>\w+)"
0 Karma


@kml_uvce your escaping backslashes were lost since you forgot to use the "code" tags around your regex. The regex should actually look like below:

rex field=_raw "^(?:[^\[\n]*[){3}(?P<fieldname>w+)"
0 Karma

Revered Legend

And there is backslash missing before "w+" as well. So it should be

rex field=_raw "^(?:[^\[\n]*[){3}(?P<fieldname>\w+)"
0 Karma


Thanks everyone, that helped me.

0 Karma
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...