Reputation: 3
Using Splunk rex command to extract a field between 2 words
Please assist extracting\creating a new field between 2 fixed words, one of which begins with !
Example:
!CASH OUT $50.00! !TOTAL AUD $61.80!
!CASH OUT and !TOTAL are fixed but the value amount in between ($22.00!) changes. I would like to create a field so I can filter the events by the cash out amount ect. I would only want the dollar amount to be the field without the ! at the end.
I've tried the below search but it creates a cashout field with all data after !CASH OUT and doesn't cut the field before !TOTAL
"CASH OUT" "!TOTAL" | rex "CASH OUT (?.*)!TOTAL"
search | "CASH OUT" "!TOTAL" | rex "CASH OUT (?.*)!TOTAL"
field = $50.00
Upvotes: 0
Views: 2235
Answers (1)
Reputation: 2651
rex "(?<total>\$[^!]+)"
Into capturing group called total, capture anything that begins with a dollar sign, followed by everything that isn't available exclamation mark.
rex "\$(?<total>\[^!]+)"
If you don't want to include the dollar sign in the captured field
Upvotes: 1
Related Questions
- Splunk: How to extract a field containing spaces at end
- splunk query to extract multiple fields from single field
- Extracting multi values with regex ( Only values, Not Fieldname )
- Splunk extract a value from string which begins with a particular value
- Splunk rex extract field, I am close but just cant get it matching
- Splunk: How to extract field directly in Search command using regular expressions?
- How to only extract match strings from a multi-value field and display in new column in SPLUNK Query
- Splunk - regex extract fields from source
- Splunk: how to extract fields using regular expressions? like rex in splunk search
- Regex to extract two values from single string in Splunk