I can't seem to get my regex to work as a field extraction. below is an example string and the regex I'm trying to use.
Sample string:
ab&q=john+schneider+singer+-actor&oq=john+schneider+singer+-actor&g
Regex:
(?<=ab&q=)\S*(?=&oq)
This is what I've been trying in Splunk:
rex field=url "(?<=ab&q=)\S*(?=&oq)(?
Basically I want to extract everything between "ab&q=" and "&oq"
I think you're looking for something like this:
rex field=url "ab&q=(?<fieldname>\S*)&oq(.*)"
I think you're looking for something like this:
rex field=url "ab&q=(?<fieldname>\S*)&oq(.*)"
Works great thanks.