https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-values-starting-with-a-specific-name-using/m-p/419900#M120734 <P>Assuming that they all have exactly the same number of numbers after them (12)...</P> <PRE><CODE> | rex field=_raw max_match=0 "(?&lt;INC_Number&gt;INC\d{12})" </CODE></PRE> <P>The above will extract all INC numbers in the field _raw and put them in a multivalue field. You can query how many matches were made with... </P> <PRE><CODE>| eval MatchCount=coalesce(mvcount(INC_Number),0) </CODE></PRE> <P>The coalesce will set the count to 0 if there were no matches. </P> <P>If they can have a range of number lengths, say 10 to 12, then change the <CODE>\d{12}</CODE> to <CODE>\d{10,12}</CODE></P> Thu, 23 Aug 2018 05:13:44 GMT DalJeanis 2018-08-23T05:13:44Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-values-starting-with-a-specific-name-using/m-p/419899#M120733 <P>Hi All,</P> <P>Kindly help me with regex for below sample data.<BR /> Its only a sample there might be some other pattern of data. <BR /> I need to extract only the values starting with <CODE>INC</CODE> eg(INC000013444216,INC000033109432,INC000000000958,INC000014660933) and store in a separate field.</P> <PRE><CODE>DESCRIPTION"Request Information ticket no.: INC000013444216" DESCRIPTION"Gathered Info ticket no.:INC000033109432 &amp; the bad data." DESCRIPTION"DDD D Required Informed ticket no.:INC000000000958 " DESCRIPTION"Defined Info ticket no.:INC000013444444 hsdcgs and FRGHBB" DESCRIPTION"DD DS Access of the ticket no.:INC000000000958 and INC000014660933" DESCRIPTION"Self comment ticket no.: INC000014141414 &amp; INC000014071414" DESCRIPTION"Known data ticket no.: INC000014222242 (INC000014555536)" DESCRIPTION"Other DB ticket no.: INC000013777778 | 6020359" DESCRIPTION"My Data base ticket no.:INC000013788880 and INC000013999916" DESCRIPTION"Stay For the Information ticket no.: INC000013111117 | INC000013123418 " DESCRIPTION"Check Info ticket no.: INC000012345597 INC000000003596 INC000009873598 INC000067893599" DESCRIPTION"Correct Informed ticket no.:INC000045675462, INC000009878538 " DESCRIPTION"All Information ticket no.:INC000067898690 (5393953), INC000011114463 (5536973) and more" </CODE></PRE> <P>Thanks in advance <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 23 Aug 2018 05:01:40 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-values-starting-with-a-specific-name-using/m-p/419899#M120733 Shan 2018-08-23T05:01:40Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-values-starting-with-a-specific-name-using/m-p/419900#M120734 <P>Assuming that they all have exactly the same number of numbers after them (12)...</P> <PRE><CODE> | rex field=_raw max_match=0 "(?&lt;INC_Number&gt;INC\d{12})" </CODE></PRE> <P>The above will extract all INC numbers in the field _raw and put them in a multivalue field. You can query how many matches were made with... </P> <PRE><CODE>| eval MatchCount=coalesce(mvcount(INC_Number),0) </CODE></PRE> <P>The coalesce will set the count to 0 if there were no matches. </P> <P>If they can have a range of number lengths, say 10 to 12, then change the <CODE>\d{12}</CODE> to <CODE>\d{10,12}</CODE></P> Thu, 23 Aug 2018 05:13:44 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-values-starting-with-a-specific-name-using/m-p/419900#M120734 DalJeanis 2018-08-23T05:13:44Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-values-starting-with-a-specific-name-using/m-p/419901#M120735 <P>@shankarananth Some of your events have more than one <CODE>INC#####</CODE>, do you want to extract all? Also There is one event with <CODE>| 6020359</CODE>. Is that INC as well?</P> <P>Can you try the following run anywhere example?</P> <PRE><CODE>| makeresults | eval description=" DESCRIPTION\"Request Information ticket no.: INC000013444216\"; DESCRIPTION\"Gathered Info ticket no.:INC000033109432 &amp; the bad data.\"; DESCRIPTION\"DDD D Required Informed ticket no.:INC000000000958 \"; DESCRIPTION\"Defined Info ticket no.:INC000013444444 hsdcgs and FRGHBB\"; DESCRIPTION\"DD DS Access of the ticket no.:INC000000000958 and INC000014660933\"; DESCRIPTION\"Self comment ticket no.: INC000014141414 &amp; INC000014071414\"; DESCRIPTION\"Known data ticket no.: INC000014222242 (INC000014555536)\"; DESCRIPTION\"Other DB ticket no.: INC000013777778 | 6020359\"; DESCRIPTION\"My Data base ticket no.:INC000013788880 and INC000013999916\"; DESCRIPTION\"Stay For the Information ticket no.: INC000013111117 | INC000013123418 \"; DESCRIPTION\"Check Info ticket no.: INC000012345597 INC000000003596 INC000009873598 INC000067893599\"; DESCRIPTION\"Correct Informed ticket no.:INC000045675462, INC000009878538 \"; DESCRIPTION\"All Information ticket no.:INC000067898690 (5393953), INC000011114463 (5536973) and more\"" | makemv description delim=";" | mvexpand description | rex field="description" "(?&lt;IncidentNumber&gt;INC\d+)" max_match=0 </CODE></PRE> <P><CODE>max_match=0</CODE> extracts multiple Incident Numbers. If you remove the argument it will extract only first occurrence.</P> Thu, 23 Aug 2018 05:16:40 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-values-starting-with-a-specific-name-using/m-p/419901#M120735 niketn 2018-08-23T05:16:40Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-values-starting-with-a-specific-name-using/m-p/419902#M120736 <P>@niketnilay,</P> <P>It's working fine.. Thanks for your help :-). <BR /> I hope still i need to upgrade myself in many things.. </P> <P>Please convert your comment into answers.. So i can accept it ..</P> Thu, 23 Aug 2018 05:27:04 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-values-starting-with-a-specific-name-using/m-p/419902#M120736 Shan 2018-08-23T05:27:04Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-values-starting-with-a-specific-name-using/m-p/419903#M120737 <P>@ DalJeanis,</P> <P>I have tried your too its working good .. <BR /> A small addition <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> ..</P> <PRE><CODE> | rex field=_raw max_match=0 "(?&lt;INC_Number&gt;INC\d{12})" </CODE></PRE> <P>Thanks you ....</P> Thu, 23 Aug 2018 05:32:09 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-values-starting-with-a-specific-name-using/m-p/419903#M120737 Shan 2018-08-23T05:32:09Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-values-starting-with-a-specific-name-using/m-p/419904#M120738 <P>I've converted the comment to an answer, so it can now be accepted, @shankarananth.</P> Thu, 23 Aug 2018 16:10:47 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-values-starting-with-a-specific-name-using/m-p/419904#M120738 cpetterborg 2018-08-23T16:10:47Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-values-starting-with-a-specific-name-using/m-p/419905#M120739 <P>@shankarananth - updated. Thanks!</P> Sun, 26 Aug 2018 20:31:47 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-values-starting-with-a-specific-name-using/m-p/419905#M120739 DalJeanis 2018-08-26T20:31:47Z