Solved: Re: using regex for field extraction

dylanhess · ‎12-07-2021

I am trying to extract the action=* from this field, in this event its add. I've trying extracting through how you would typically extract fields but it doesn't want to capture all the different possible events, action=delete, action=replace etc.

UPDATE#011class=DATASET#011prof=IMSVS.*#011vol=P1CP02#011dsn=IMSVS.BETALIBA#011member=PYNMU49#011box=HTC-95-000000033771-0094#011action=ADD#011sum=PJXCPAI6

So I resorted to trying to manually write my own regex (?<=action=).*(?=#) but I cant seem to get the rex command to work or manually add my regex to the filed extraction

rex field=intent (?<=action=).*(?=#)

I get this error message when using the rex command above.

Error in 'rex' command: The regex '(?<=action=).*(?=#)' does not extract anything. It should specify at least one named group. Format: (?<name>...).

ITWhisperer · ‎12-07-2021

rex field=intent "action=(?<action>[^#]*)#"

View solution in original post

ITWhisperer · ‎12-07-2021

rex field=intent "action=(?<action>[^#]*)#"

dylanhess · ‎12-07-2021

Thank you so much!

using regex for field extraction

field extraction

fields

regex

rex

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases

Are you a member of the Splunk Community?