I am trying to extract info from the _raw result of my Splunk query. Currently my _raw result is:
_raw="2014-02-13 13:02:10,3,VIDEO_STREAMING,CAMERA_6,\"Video has stopped or is intermittent for camera 6='Tool Corral Rear Aisle' on encoder 192.168.2.101.\"
I would like to extract the Camera Name, which in this case is 'Tool Corral Rear Aisle', from the above _raw string.
Can anyone help?
Thanks so much!
Try this:
(?<cam_name>[^=]+)(?=\son\sencoder)
usage:
your base search | rex "(?<cam_name>[^=]+)(?=\son\sencoder)"
Try this:
(?<cam_name>[^=]+)(?=\son\sencoder)
usage:
your base search | rex "(?<cam_name>[^=]+)(?=\son\sencoder)"
Yes that would be consistent with the other Rex commands I was using ... my apologies for that oversight and I thank you both for your assistance.
When using the Rex command, the regular expression must be in quotes.
That didn't seem to translate correct once I hit the post comment button ... note that I did use the slashes '\' that you suggested in your reply.
Thank you for your response.
When I run that code I am getting an error msg - Error in 'SearchParser': Missing a search command before '^'.
The total snippet that I entered in my existing query based on your input was: rex field=_raw (?