topic Re: Will someone help me with my Regular Expression query? in Splunk Search

Will someone help me with my Regular Expression query?

Shashank_87 — Tue, 04 Sep 2018 11:48:22 GMT

Hi, I am looking for some help regarding Splunk Regular Expression. I have a data something like this in a field "field1" -

\P1 S+ box  5.00 Dol\BUNDLE_1   0.00 Dol\   P2  Not applicable  15.00 Dol\  DISCOUNT\   D1  -12.50 Dol\T1_EXISTING  0.00 Dol\   T2_EXISTING\    D2 Fibre 41.75 Dol\ T3_EXISTING\    P3  Mix 26.66 Dol\  T4_EXISTING\    P4 Weekends 0.00 Dol\P5 Vgg box 5.00 Dol\DISC*  -15.81 Dol  \P6*    -5.00 Dol   \P7* Phone line 19.00 Dol   \P8*    C&C 0.00 Dol    \TI_PENT*   0.00 Dol    \P9*    -11.00 Dol  \P10* Bundle2   -18.60 Dol  \P11*   Extra Fee   0.00 Dol.

If you observe, there is a product "P1", it's description "S+ box" and Price "5.00 Dol" and like these there are multiple separated by "\".

I want to extract these products with their prices so that I can see each product and their associated
prices.
Basically, I am looking for if any product has got NULL price.

Let me know if someone can help.

Re: Will someone help me with my Regular Expression query?

richgalloway — Tue, 04 Sep 2018 13:26:40 GMT

So, in your example, which product should the regex match?

Re: Will someone help me with my Regular Expression query?

Shashank_87 — Tue, 04 Sep 2018 13:47:45 GMT

I actually need for each product. I want to see if any product has Null price in it. So basically these items u consider as in customer basket so before we proceed for order placing we want to know if there is anything which does not have any price associated with it?

Re: Will someone help me with my Regular Expression query?

ddrillic — Tue, 04 Sep 2018 14:49:26 GMT

Looking at the first product, we can do something like that to extract the two sets -

\\P1(?<name1>.*)(?<price1>\d.\d\d) Dol\\(?<name2>.*)(?<price2>\d.\d\d) Dol\\ P2

Re: Will someone help me with my Regular Expression query?

imthesplunker — Tue, 04 Sep 2018 17:59:07 GMT

Try this.

    | makeresults 
     | eval _raw = "\P1 S+ box 5.00 Dol\BUNDLE_1 0.00 Dol\ P2 Not applicable 15.00 Dol\ DISCOUNT\ D1 -12.50 Dol\T1_EXISTING 0.00 Dol\ T2_EXISTING\ D2 Fibre 41.75 Dol\ T3_EXISTING\ P3 Mix 26.66 Dol\ T4_EXISTING\ P4 Weekends 0.00 Dol\P5 Vgg box 5.00 Dol\DISC* -15.81 Dol \P6* -5.00 Dol \P7* Phone line 19.00 Dol \P8* C&C 0.00 Dol \TI_PENT* 0.00 Dol \P9* -11.00 Dol \P10* Bundle2 -18.60 Dol \P11* Extra Fee 0.00 Dol."
     | rex field=_raw max_match=0 "\\s?(?<Product>P\d+)\*?\s" 
     | rex field=_raw max_match=0 "P\d+\*?\s?(\w+\S?\s?\w+\s)?(?<Price>\-?\d+.\d+\s)Dol"
     | rex field=_raw max_match=0 "P\d+\*?\s?(?<Desc>\w+\S?\s?\w+)\s"
     |table Product Price


Hope this helps!

Re: Will someone help me with my Regular Expression query?

imthesplunker — Tue, 04 Sep 2018 18:08:59 GMT

If Product doesn't have negative values , the regex is | rex field=_raw max_match=0 "P\d+\*?\s?(\w+\S?\s?\w+\s)?\-?(?<Price>\d+.\d+\s)Dol"

Re: Will someone help me with my Regular Expression query?

inventsekar — Wed, 05 Sep 2018 11:47:21 GMT

Check this updated one.. using @imthesplunker 's rex for Price... (Please upvote comments and answers)

| makeresults 
     | eval _raw = "\P1 S+ box 5.00 Dol\BUNDLE_1 0.00 Dol\ P2 Not applicable 15.00 Dol\ DISCOUNT\ D1 -12.50 Dol\T1_EXISTING 0.00 Dol\ T2_EXISTING\ D2 Fibre 41.75 Dol\ T3_EXISTING\ P3 Mix 26.66 Dol\ T4_EXISTING\ P4 Weekends 0.00 Dol\P5 Vgg box 5.00 Dol\DISC* -15.81 Dol \P6* -5.00 Dol \P7* Phone line 19.00 Dol \P8* C&C 0.00 Dol \TI_PENT* 0.00 Dol \P9* -11.00 Dol \P10* Bundle2 -18.60 Dol \P11* Extra Fee 0.00 Dol."
     | rex field=_raw max_match=0 "\\s?(?<Product>P\d+\D?)\s"
     | rex field=_raw max_match=0 "P\d+\*?\s?(\w+\S?\s?\w+\s)?(?<Price>\-?\d+.\d+\s)Dol"
     | table Product Price _raw

Re: Will someone help me with my Regular Expression query?

Shashank_87 — Wed, 05 Sep 2018 12:31:16 GMT

Thank you. After some minor modification that worked smoothly. Many thanks for the help. 🙂