topic Re: Regular Expression extract beginning and end of string- What am I missing? in Splunk Search

Regular Expression extract beginning and end of string- What am I missing?

rhenry — Thu, 03 Mar 2022 17:36:02 GMT

Hello,

I have a situation where I am trying to pull from within a field the nomenclature of ABC-1234-56-7890 but want to be able to only pull the first three letters and the last four numbers into one field. I have the following query below thus far but have not figured out how to do as described above:

| rex field=comment (?<ABC>ABC\-\d+\-\d+\-\d+)

I want the return of "ABC-7890"

What am I missing so that I can successfully pull both beginning and end of the above described string? Thanks!

Re: Regular Expression extract beginning and end of string

gcusello — Thu, 03 Mar 2022 15:08:37 GMT

Hi @rhenry,

you could use a regex and an eval:

your_search | rex "^(?<my_field_1>\w\w\w).*(?<myfield_2>\d\d\d\d)" | eval my_field=my-field-1."-".my_field_2

you can test the regex at https://regex101.com/r/S7tXqS/1

Ciao.

Giuseppe

Re: Regular Expression extract beginning and end of string

PickleRick — Thu, 03 Mar 2022 15:04:40 GMT

Unfortunately, with PCRE you don't have a "ignore this part" group. (I would also welcome that)

You can however capture the beginning and end into separate fields and then create a calculated field combining them together,

Re: Regular Expression extract beginning and end of string

rhenry — Thu, 03 Mar 2022 15:15:51 GMT

Hey this string does what I am looking for. However, it looks like it only works if ABC-1234-56-7890 is the only string in the field. What if there is additional words before and after? Like for example:

"This the location for ABC-1234-56-7890 at this point."

Is there a way to extract just that string highlighted above and again only beginning and end? Thanks!

Re: Regular Expression extract beginning and end of string

gcusello — Thu, 03 Mar 2022 15:39:00 GMT

Hi, please try this:

your_search | rex "(?<my_field_1>\w\w\w)\S*(?<myfield_2>\d\d\d\d)" | eval my_field=my-field-1."-".my_field_2

that you can test at https://regex101.com/r/S7tXqS/2

Ciao.

Giuseppe

Re: Regular Expression extract beginning and end of string- What am I missing?

yuanliu — Fri, 04 Mar 2022 05:31:20 GMT

I can't help but noticing that your initial regex contains hard-coded leading string "ABC". This implies that the first group of letters is fixed. If this is the case, you can focus on the end of string, then compose with the known group, like this:

| rex field=comment "\bABC-\S+-(?<ABC>\d+)" | eval ABC="ABC-" . ABC

Another way is to use sed mode to strip whatever you don't need. This example assumes that leading string is unknown.

| rex field=comment mode=sed "s/.*?(\w+)\S+-(\d+).*/\1-\2/"

(If you cannot sacrifice original content of comment, you can first copy it into a different field name such as ABC, then apply rex to that field.)

Alternatively, you can apply sed or replace to the ABC field you initially extracted. This example uses replace.

| rex field=comment (?<ABC>ABC\-\d+\-\d+\-\d+) | eval ABC=replace(ABC, "ABC-\d+-\d+-", "ABC-")