topic Re: regex question in Splunk Search

regex question

nathanluke86 — Mon, 06 Apr 2020 12:32:21 GMT

I am trying to get exactly 10 digits which might be between white spaces or symbols etc:

1234567890
,234567890 , 1234567890
:1234567890

etc etc

but not 10 digits from a string of 11+ digits etc

There are no unique digits within these 10 digit ID's I am trying to identify. I am just trying to get as close as possible without generating to many false positives

TIA

Re: regex question

gcusello — Mon, 06 Apr 2020 12:36:05 GMT

Hi @nathanluke86,
could you share an example of your logs?
Ciao.
Giuseppe

Re: regex question

nathanluke86 — Mon, 06 Apr 2020 12:45:17 GMT

@gcusello

I don't have specific logs to search. I just need to search all indexes index=* for exactly 10 digit strings that are between white spaces or symbols as above

Thanks

Re: regex question

javiergn — Mon, 06 Apr 2020 13:06:58 GMT

Hi @nathanluke86,

Assuming I fully understood your requirements, the following SPL should do the trick:

| rex max_match=0 "\b(?<id>\d{10})\b"
| mvexpand id

Max match will capture any occurrences of 10 digits in you event and place the values into a multivalued field named id. You can then expand id if you want those multivalue fields to be displayed individually or just leave them as they are.

Hope that makes sense.

Regards,
J

Edited: fixing a typo on the regex as I couldn't test this on a Splunk instance

Re: regex question

gcusello — Mon, 06 Apr 2020 13:22:02 GMT

Hi @nathanluke86,
you could use something like this:

index=your_index 
| rex max_match=0 "\b(?<your_id>\d{10})\b"

Ciao.
Giuseppe

Re: regex question

to4kawa — Mon, 06 Apr 2020 20:09:49 GMT

index=yours
| regex "\b\d{10})\b"
| rex max_match=0 "\b(?<id>\d{10})\b"

at first, search what you want.

Re: regex question

javiergn — Wed, 08 Apr 2020 08:59:36 GMT

Hi @nathanluke86, don't forget to accept one of the answers if your problem is now solved.