find string between two given strings in splunk

suruthyshree · ‎01-04-2011

How i can get the string between two given strings.

Log has entires like

22:09: DT : 2178we352njsdfh48734 : EF and so on.

I want to find fetch the values between "DT :" and ": EF". The "2178we352njsdfh48734" will vary based on the request and the "DT :" and ": EF": will remain same for all the request.

siri1410 · ‎10-27-2017

"search string" | rex field=_raw "DT : (?P[^\s]+) : EF" | dedup txid| table txid

southeringtonp · ‎01-04-2011

Generally, you want to either use rex or create a dedicated field extraction. For more complete information, look here.

Using rex:

In the search string, add the following to your search:

| rex field=xx "^\d+:\d+: DT : (?<txid>.*?) : EF"

For something more permanent, you can use:

transforms.conf:

[mytxid]
REGEX = "^\d+:\d+: DT : (.*?) : EF"
FORMAT = txid::$1

props.conf:

[yoursourcetype]
REPORT-txid = mytxid

find string between two given strings in splunk

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!