topic Regex: Simple Substring for Field Extraction in Splunk Search

Regex: Simple Substring for Field Extraction

talismanc — Mon, 28 Sep 2020 09:46:02 GMT

Hi All

I seem to be having a little issue extracting data from a specific position, the data I am working with have fields that start and end at a specific character position. The automatic generator does a good job but seems to miss some data and therefore would simply like to add fields based on character position. For Example:

Data:

27/07/11 18:59 209 03 0014111111190*A 00:05'36

27/07/11 19:18 209 03 00141111119906 00:18'15

27/07/11 22:14 224 03 00117111141136 00:09'01

I would like to extract the data in bold (substring 58-62)

Can this be done simple?

Thanks in advance.

Chris

Re: Regex: Simple Substring for Field Extraction

mw — Sat, 30 Jul 2011 14:52:43 GMT

Does this work for you?

\s+(?<myfield>\d+:\d+)\'\d+$

Re: Regex: Simple Substring for Field Extraction

talismanc — Sat, 30 Jul 2011 16:54:23 GMT

Thanks for the reply, i tried that and just got a syntax error.

I have now managed to solve it, i steered clear of just trying to grab the nth to nth character and created the following.

(?i)^\d+/\d+/\d+\s+\d+:\d+\s+\d+\s+\d+\s+\S+\s+(?P<Duration_Mins2>[^']+)

Because sometimes my PBX spat out text and special characters in the Phone Number field it was messing with Splunks Generate capability.

Seems rather simple when i actually stood back and looked at it!!