topic Re: How to filter for a specific pattern with wild card? in Getting Data In

How to filter for a specific pattern with wild card?

aamer4zangi — Thu, 05 Apr 2018 21:25:39 GMT

Hi,

In excel you can custom filter the cells using a wild card with a question mark.
For example, if I want to filter following data I will write AB??-
AB22- , AB43-, AB03-

Are these searches possible in Splunk? If I write AB*- , it will match AB1233-, ABw-, AB22222222-.

I want specifically 2 characters between AB and -

Thanks.

Re: How to filter for a specific pattern with wild card?

sravankaripe — Thu, 05 Apr 2018 22:23:07 GMT

write add below rex to your query

| rex "AB(?\d\d)-" | eval myfield="AB".myfield | search myfield=*

please let me know if its works?

Re: How to filter for a specific pattern with wild card?

mayurr98 — Fri, 06 Apr 2018 05:56:58 GMT

Try this run anywhere search

| makeresults | eval raw="AB22-,AB43-,AB03-,AB1233-,ABw-,AB22222222-"| makemv raw delim="," | mvexpand raw| rex field=raw "(?<newfield>AB\d{2}-)"| search newfield=*

In your environment, you should write

<your  base search >| rex field=_raw "(?<newfield>AB\d{2}-)"| search newfield=*

If these are getting capture in a specific field the write field=<your_field> in rex command or else _raw.

let me know if this helps!

Re: How to filter for a specific pattern with wild card?

aamer4zangi — Fri, 06 Apr 2018 15:44:58 GMT

Thanks in advance. I got the following error.

Error in 'rex' command: Encountered the following error while compiling the regex 'AB(?\d\d)-': Regex: unrecognized character after (? or (?-

Re: How to filter for a specific pattern with wild card?

mayurr98 — Fri, 06 Apr 2018 15:55:35 GMT

did you try this?

Re: How to filter for a specific pattern with wild card?

aamer4zangi — Fri, 06 Apr 2018 15:58:02 GMT

Thanks for the reply.
I must confess I am encountering makeresults for the first time, so trying to wrap my head around the search cmd.

AB22-,AB43-,AB03-,AB1233-,ABw-,AB22222222- is not my raw data, it was just an example. The cells contain data with a pattern of ABXX- and I want to filter only those records in a specific column which follow that specific pattern.

I did come across filter option when converting data into Data Table. However, still no success.

Re: How to filter for a specific pattern with wild card?

mayurr98 — Fri, 06 Apr 2018 16:01:11 GMT

did you try this?

index=<your_index>| rex field=_raw "(?<newfield>AB\d{2}-)"| search newfield=*

can you share sample raw events so that I can give you appropriate regex?

Re: How to filter for a specific pattern with wild card?

aamer4zangi — Fri, 06 Apr 2018 16:16:28 GMT

There are thousands of lines, just sampling few lines. This data is coming from comments people write for specific hardware and is not generated by a machine. Thus, it is highly random. The raw data is as follows. Additionally this data is present in a specific column.

After the search the first 6 rows should be the final result.

1 1401812.AQWEAB02-TCPL02.1G
2 1356292.QWERAB04-ANCA02
3 1234OAB05-PLAIN02 reserved ||
4 1405252.AB07-SBCC01
5 1409325-ARDRAB05-GENIV02.22
6 1304030.ARDRAB07-TECEL02.10333
7 1389621.ABFDBC01-COGDS02333
8 1349222.ABFDBC01-MOH29.5MJJ
9 1313513.ABFDBC01-BPRSS
10 1393599.ABFDBC01-WGELP
11 1375957.ABFDBC01-BREQL01.0M222
12 1332348.ABFDBC01-MANNG01.10M1WW1

13 1321017.ABFDBC01-BLJCW01.3MQQ

Moreover, it is not only AB??- that I would be searching for, there are other criteria as well but I guess if we can get one criteria down then others should follow the same pattern.

Re: How to filter for a specific pattern with wild card?

mayurr98 — Fri, 06 Apr 2018 16:36:32 GMT

yes so I have given the correct regex
what is the result of this search?

 index=<your_index>| rex field=_raw "(?<newfield>AB\d{2}-)"| search newfield=*

I have already given you the solution.
See my workaround here. it is exactly matching first 6 events. above search will return only events with AB??-.
https://regex101.com/r/7b6mTh/1

Re: How to filter for a specific pattern with wild card?

mayurr98 — Fri, 06 Apr 2018 16:39:11 GMT

If you deem a posted answer as valid and helpful to your solving of the issue, please accept said answer so that this question no longer appears open.

Re: How to filter for a specific pattern with wild card?

aamer4zangi — Fri, 06 Apr 2018 16:57:06 GMT

Thanks a lot mate. Yes, it worked as wanted. In the end if I want to add BC??- to AB??- how should I add these two.

Re: How to filter for a specific pattern with wild card?

mayurr98 — Fri, 06 Apr 2018 17:07:34 GMT

do you mean (AB OR BC)??-?
then try this

(?<newfield>((AB)|(BC))\d{2}-)

Re: How to filter for a specific pattern with wild card?

aamer4zangi — Fri, 06 Apr 2018 17:18:30 GMT

Thanks again...yes. It did the trick.

Moreover, regex101.com is a great tool.