topic Re: regex - Remove characters from results field. in Getting Data In

regex - Remove characters from results field.

nlisle — Fri, 16 Aug 2019 14:07:17 GMT

Hello,

I have produced a search result field which looks something along the lines of BC000000$@ab.firmakhueny.abc\ (I have obfuscated the data however they are the same category).

What I would like to create is a regex or something similar which may do the job better to remove all data before and after "000000" and to only present this field in the table created. To confirm I have replicated the original field and added in quotation marks presenting the data that we would like presented after the regex - BC"000000"$@ab.firmakhueny.abc\ .

Thank you for the support in adavance.

Re: regex - Remove characters from results field.

richgalloway — Fri, 16 Aug 2019 14:58:48 GMT

To extract the numeric portion into a new field, this rex command should do the job.

... | rex field=foo "(?<newfield>\d+)" | ...

To replace the entire field with just the numeric portion, try this.

... | rex field=foo mode=sed "s/([^\d]+)(\d+)(.*)/\2/" | ...

Re: regex - Remove characters from results field.

nlisle — Fri, 16 Aug 2019 15:15:59 GMT

Thank you for your response richgalloway. I have implemented the second rex command to replace the entire field with the six character numeric field from the initial search field however I am given this result "$2".

Thanks,
N

Re: regex - Remove characters from results field.

richgalloway — Fri, 16 Aug 2019 16:40:59 GMT

Ah, sorry about that. Regex101.com and Splunk use different substitution methods. I've corrected my answer.

Re: regex - Remove characters from results field.

nlisle — Fri, 16 Aug 2019 17:02:58 GMT

Thanks that worked!