https://community.splunk.com/t5/Splunk-Search/RegEx-for-pattern-matching-and-extraction/m-p/471746#M132737 <P>Hi @ jpolvino,</P> <P>I only need SES and ABC extracted from above patterns. In last example, ABC is twice. It is same ABC but second one has additional number or a character. I will need the 9 digit ABCs only which is the middle one in last example.</P> <P>Sample data:<BR /> 1234567-123456789--- (Need 9 digit ABC only, 123456789)<BR /> 1234567-1234567890-123456789-- (Need 9 digit ABC only, 123456789)<BR /> 12345678-123456789--A12345678-123456789 (Need 9 digit ABC only, 123456789, last one)<BR /> 123456789 (Need 9 digit ABC only, 123456789)<BR /> 12345678900000 (Need 9 digit ABC only, 123456789)<BR /> 12345ac4-1234-1a12-9as9-1aa111as23aa (This I am trying to figure out with data owners to clarify this pattern)<BR /> 12345678900000-123456789 (Need 9 digit ABC only, 123456789)<BR /> 12345678900000-123456789-1234567890 (Need 9 digit ABC only, 123456789, the middle one)</P> Wed, 15 Apr 2020 05:41:20 GMT mbasharat 2020-04-15T05:41:20Z https://community.splunk.com/t5/Splunk-Search/RegEx-for-pattern-matching-and-extraction/m-p/471741#M132732 <P>Hi,</P> <P>I have data that contains Sessions ID labeled as (SES) and User ID labeled as (ABC). </P> <P>When I look at the events, I am seeing below variations. RegEx should grab anything that is 14 digits followed by 0 or more groups of dash/hyphen with 9 digits or dash/hyphen with 0 digits. I need a RegEx that extract the SES and ABC into separate fields from below variations. </P> <P>Formats seen:<BR /> SES<BR /> SES-ABC<BR /> SES—ABC<BR /> SES—ABC-<BR /> SES-ABC-ABC</P> <P>Sample data:<BR /> 1234567-123456789---<BR /> 1234567-1234567890-123456789--<BR /> 12345678-123456789--A12345678-123456789<BR /> 123456789<BR /> 12345678900000<BR /> 12345ac4-1234-1a12-9as9-1aa111as23aa<BR /> 12345678900000-123456789<BR /> 12345678900000-123456789-1234567890</P> <P>Thanks in-advance</P> Mon, 13 Apr 2020 17:41:10 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-for-pattern-matching-and-extraction/m-p/471741#M132732 mbasharat 2020-04-13T17:41:10Z https://community.splunk.com/t5/Splunk-Search/RegEx-for-pattern-matching-and-extraction/m-p/471742#M132733 <P>Hi, can you please provide a little more detail? Specifically in the examples you provide, what are the examples of SES and ABC matches you expect from the legal ones? And which of those should not match anything?</P> <P>When you have ABC twice (the last formats seen line) is that literally the <EM>same</EM> ABC twice, or different ABCs?</P> Mon, 13 Apr 2020 19:07:16 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-for-pattern-matching-and-extraction/m-p/471742#M132733 jpolvino 2020-04-13T19:07:16Z https://community.splunk.com/t5/Splunk-Search/RegEx-for-pattern-matching-and-extraction/m-p/471743#M132734 <P><CODE>12345ac4-1234-1a12-9as9-1aa111as23aa</CODE><BR /> where is SES and ABC?</P> Mon, 13 Apr 2020 23:34:04 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-for-pattern-matching-and-extraction/m-p/471743#M132734 to4kawa 2020-04-13T23:34:04Z https://community.splunk.com/t5/Splunk-Search/RegEx-for-pattern-matching-and-extraction/m-p/471744#M132735 <PRE><CODE>| makeresults | eval _raw="raw 1234567-123456789--- 1234567-1234567890-123456789-- 12345678-123456789--A12345678-123456789 123456789 12345678900000 12345ac4-1234-1a12-9as9-1aa111as23aa 12345678900000-123456789 12345678900000-123456789-1234567890" | multikv forceheader=1 | rex max_match=2 "(?&lt;SES&gt;^\d+)|-(?&lt;ABC&gt;\d+)(?:-|$)" | eval SES=trim(SES,"0"), ABC=trim(ABC,"0") </CODE></PRE> <P>use <CODE>rex</CODE> with limits <CODE>max_match</CODE></P> Mon, 13 Apr 2020 23:40:23 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-for-pattern-matching-and-extraction/m-p/471744#M132735 to4kawa 2020-04-13T23:40:23Z https://community.splunk.com/t5/Splunk-Search/RegEx-for-pattern-matching-and-extraction/m-p/471745#M132736 <P>Hi @ t04kawa This one is a very odd pattern and I am also scratching my head when I was looking at it. Lemme try your provided solution below. Will report back shortly.</P> Wed, 15 Apr 2020 05:36:14 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-for-pattern-matching-and-extraction/m-p/471745#M132736 mbasharat 2020-04-15T05:36:14Z https://community.splunk.com/t5/Splunk-Search/RegEx-for-pattern-matching-and-extraction/m-p/471746#M132737 <P>Hi @ jpolvino,</P> <P>I only need SES and ABC extracted from above patterns. In last example, ABC is twice. It is same ABC but second one has additional number or a character. I will need the 9 digit ABCs only which is the middle one in last example.</P> <P>Sample data:<BR /> 1234567-123456789--- (Need 9 digit ABC only, 123456789)<BR /> 1234567-1234567890-123456789-- (Need 9 digit ABC only, 123456789)<BR /> 12345678-123456789--A12345678-123456789 (Need 9 digit ABC only, 123456789, last one)<BR /> 123456789 (Need 9 digit ABC only, 123456789)<BR /> 12345678900000 (Need 9 digit ABC only, 123456789)<BR /> 12345ac4-1234-1a12-9as9-1aa111as23aa (This I am trying to figure out with data owners to clarify this pattern)<BR /> 12345678900000-123456789 (Need 9 digit ABC only, 123456789)<BR /> 12345678900000-123456789-1234567890 (Need 9 digit ABC only, 123456789, the middle one)</P> Wed, 15 Apr 2020 05:41:20 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-for-pattern-matching-and-extraction/m-p/471746#M132737 mbasharat 2020-04-15T05:41:20Z https://community.splunk.com/t5/Splunk-Search/RegEx-for-pattern-matching-and-extraction/m-p/471747#M132738 <P>After dealing with customer, data at the source is fixed. Above RegEx works perfectly now. THANK YOU!</P> Sun, 19 Apr 2020 03:25:48 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-for-pattern-matching-and-extraction/m-p/471747#M132738 mbasharat 2020-04-19T03:25:48Z