topic Re: How do you capture values with regex? in Splunk Search

How do you capture values with regex?

ebkeys94 — Tue, 22 Jan 2019 16:30:24 GMT

Hi,

I am fairly new to regex and cannot figure out how to capture certain strings. Here is an example of the string in the file:

"'phoneNumber'  '1234567890'"

This string comes on one line and the two values are separated by a tab chart. I want to extract all of these phone numbers and list them under a 'phoneNumber' column. How do I go about getting these numbers? Thanks in advance

Re: How do you capture values with regex?

Vijeta — Tue, 22 Jan 2019 17:51:22 GMT

Assuming the ph number is going to be 10 digits you can use, rex field=x "'phone number'\s+'(?\d{10})'"

For example-

| makeresults |eval x="'phone number' '1234567890'"| rex field=x "'phone number'\s+'(?<phoneNumber>\d{10})'"

Re: How do you capture values with regex?

ebkeys94 — Tue, 29 Sep 2020 22:54:38 GMT

I'll give a more specific example. A log can look like this:

2019-01-22T19:47:46.847 Int 04543 Interaction message "EventCallDataChanged")
: message EventCallDataChanged
AttributeUserData [2039] 00 3f 00 00..
'agent_id' ''
'attempt' 0
'phoneNumber' '1234567890'
'ent_CallResult' xx
'call_time' 0
'campaign_id' xxx

I want to get all phone numbers from logs and put into phonenumber column

Re: How do you capture values with regex?

ebkeys94 — Tue, 22 Jan 2019 19:55:23 GMT

Thanks for the answer but it did not seem to work. I put a better example in a comment to my post

Re: How do you capture values with regex?

Vijeta — Tue, 22 Jan 2019 20:12:27 GMT

Try this.

rex field=x "'phoneNumber'\s+'(?<phoneNumber>\d{10})'"