topic Re: How to extract IDs? in Splunk Search

How to extract IDs?

beepbop — Fri, 14 Apr 2023 16:33:54 GMT

I have a field called APM_ID and i want to get the output for only APMs from this field (for eg: A1002, A0001) and want to group the rest of the output as "shared service". What query can i write for the desired output?

APM_ID

ABCDE-FVG-HH

HBBB-NDBXB-SM

A1001

SBSKS

A0002

JJSKM

A0009

A2002

Re: Extracting IDs

rut — Fri, 14 Apr 2023 12:11:03 GMT

@beepbop The following would group by id or "shared service", the regex may need to be a bit more strict depending on the field values.

| eval APM_ID_GROUP=if(match(APM_ID, "^[A-Z]\d+$"), APM_ID, "shared service") | stats values(APM_ID) as APM_ID by APM_ID_GROUP

Re: How to extract IDs?

woodcock — Fri, 14 Apr 2023 20:34:20 GMT

|makeresults
| eval APM_ID = "ABCDE-FVG-HH HBBB-NDBXB-SM A1001 SBSKS A0002 JJSKM"
| rex max_match=0 field=APM_ID "(?<APM>A\d{4})"