topic Re: rex field extraction in Splunk Search

rex field extraction

swetasoneji — Wed, 18 Apr 2018 16:52:42 GMT

How would I extract account number here,

message:Receiving exp from: Long URL /Eex for account(s): 8768

rex field=_raw "Exposure for account(s):\s+(?[^,]+)"

It neither brings result nor error.

Re: rex field extraction

swetasoneji — Wed, 18 Apr 2018 16:54:32 GMT

rex field=_raw "Eex for account(s):\s+(?[^,]+)"

Re: rex field extraction

elliotproebstel — Wed, 18 Apr 2018 16:57:39 GMT

Try using the code 101010 button or wrapping your rex command with backticks.

Re: rex field extraction

swetasoneji — Wed, 18 Apr 2018 16:59:50 GMT

can you please elaborate? I'm fairly new to splunk

Re: rex field extraction

elliotproebstel — Wed, 18 Apr 2018 17:09:09 GMT

Sure! This isn't a Splunk thing per se, but rather more about how to post your question here. It looks like part of your rex command is getting eaten up by the formatting here, so it's hard to diagnose.

When you post code, it's best to click the button that looks like 101010 so that your code can be escaped and all characters preserved. If you can't find that button, you can use a single backtick (the character at the top left of your keyboard, on the same key as the ~ tilde) before and after your code.

Re: rex field extraction

niketn — Wed, 18 Apr 2018 17:49:44 GMT

@swetasoneji, following is a run anywhere search based on the sample data to fetch account.

| makeresults
| eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 8768"
| rex "\/Eex for account\(s\):\s(?<accounts>.*)"

Based on your data and partial rex seems like if there are multiple accounts they would be comma separated. Can you please add another sample for multiple accounts?

You can try the following run anywhere search if multiple accounts are comma separated.

| makeresults
| eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 8768.8851,8423"
| rex "\/Eex for account\(s\):\s(?<accounts>.*)"
| makemv accounts delim=","
| mvexpand accounts

Following is the like from regex101.com for you to test regular expression with your sample data and alsi understand how regular expression is working: https://regex101.com/r/m1dGQZ/1
While posting sample data or Code here on Splunk Answers you can click the code button which looks like 101010, you can also try shortcut CTRL+K after highlighting the code/data, or in worst case press an enter before typing the code and add four spaces before every line of the code/data to enable code section. If you do not do the same special characters will get escaped.

Re: rex field extraction

FrankVl — Wed, 18 Apr 2018 17:51:10 GMT

Your message sample says /Eex, your regex starts with "Exposure". Is that just a typo or so in your sample, otherwise that could be one of the issues.

Also:

If you want to actually match a ( character, you need to escape it
your capturing group needs to be named, such that it will get put into a field

To keep it simple (you can enhance it if you need), something like this should work:

| rex field=_raw "account\(s\):\s+(?<account_number>\d+)"

Re: rex field extraction

swetasoneji — Thu, 19 Apr 2018 09:29:42 GMT

Thanks a lot.

This worked | rex field=_raw "account(s):\s+(?\d+)"

But let's if I've multiple accounts here..7293,7243BMKTL, 8987,5787JHR

Re: rex field extraction

niketn — Thu, 19 Apr 2018 09:47:17 GMT

@swetasoneji, have you tried the answer above with run anywhere example?

Re: rex field extraction

FrankVl — Thu, 19 Apr 2018 09:51:02 GMT

What do you want to do with multiple account numbers? Take the first one? Take them all and make it a multi value field?

Re: rex field extraction

swetasoneji — Thu, 19 Apr 2018 10:27:31 GMT

Manage to work it up:

https://regex101.com/r/ELFlV3/1

Thanks all for your help.

Re: rex field extraction

TISKAR — Thu, 19 Apr 2018 10:37:16 GMT

Hey,

What are doing it's correct you must juste add \ to ( like n\(s\), and add name of field extract like ?\<accounts\>, for example:

| makeresults 
| eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 8768"
| rex field=_raw "Eex for account\(s\):\s+(?<accounts>[^,]+)"

Re: rex field extraction

swetasoneji — Thu, 19 Apr 2018 11:12:05 GMT

I'm actually trying to do this.
https://regex101.com/r/ELFlV3/1

I want to only take accounts. Don't want take any text after that.

Re: rex field extraction

TISKAR — Thu, 19 Apr 2018 12:01:30 GMT

You can test directly in Splunk, that take only number not texte, copie and past all the request in Search bar

Re: rex field extraction

swetasoneji — Thu, 19 Apr 2018 12:03:41 GMT

this doesn't fit with the search I'm using it.

https://regex101.com/r/ELFlV3/1

But don't want anything from sample test run.

Result should be:8768,789JRH,789JRH,789JRH,7854JRH

Re: rex field extraction

swetasoneji — Thu, 19 Apr 2018 12:06:22 GMT

how to make multi value field

Re: rex field extraction

swetasoneji — Thu, 19 Apr 2018 12:08:05 GMT

https://regex101.com/r/ELFlV3/1

Don't want to take sample test run in my result:

Final result would be 8768,789JRH,789JRH,789JRH,7854JRH

Re: rex field extraction

TISKAR — Thu, 19 Apr 2018 12:19:41 GMT

Hello,

To take a multivalues, you can use makemv and mvexpand command:

| makeresults 
     | eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 7293,7243BMKTL, 8987,5787JHR"
     | rex field=_raw "Eex for account\(s\):\s+(?<accounts>.*)"
| makemv delim="," accounts
| mvexpand accounts

If that'd work please accept the anwser to help another person with some problem

Re: rex field extraction

elliotproebstel — Thu, 19 Apr 2018 14:16:22 GMT

It sounds like your event might have more data after the account number(s). Can you paste a full sample event, so that we can help you figure out how to extract all account numbers but not the text after the accounts?

Re: rex field extraction

TISKAR — Thu, 19 Apr 2018 14:30:16 GMT

Yes, its easy this

| makeresults 
      | eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 7293,7243BMKTL, 8987,5787JHR"
      | rex field=_raw "Eex for account\(s\):\s+(?<accounts>.*)"
 | makemv delim="," accounts
 | mvexpand accounts
| rex field=accounts "(?\d+)"