topic Re: regex question in Splunk Search

regex question

splunk_novice99 — Thu, 19 Oct 2023 06:17:40 GMT

Hello Experts,

I'm trying to work out how to strip down a field

field="blah_6chars_blah_blah"

the 6chars is what I want to extract and the 6 chars are always prefixed with 999.
the 6 chars prefixed with 999 might be in a different place in the field. i.e. blah_blah_6chars_blah

6chars example value=999aaa

so the regex should find all occurences of 999 in the field and extract the 999 and the next 3 chars and create an additional field with the result

Thanks

Re: regex question

isoutamo — Thu, 19 Oct 2023 06:27:12 GMT

you could try this

... | rex field=field "(?<foo>999[a-zA-Z0-9]{3})_*"

Then you have this in field foo. You should change [a-ZA-Z0-9] if those 3 characters could be something else than those.

r. Ismo

Re: regex question

yuanliu — Thu, 19 Oct 2023 06:38:05 GMT

You need to be precise in data description. I assume that the six characters starting with 999 are bounded by underscore (_), beginning of the string, or end of the string. Something like the following would do

| rex field=field "^([^_]+_)*(?<six_char>999.{3})(_[^_]+)*$"

Here is an emulation you can play with and compare with real data.

| makeresults | fields - _time | eval field=mvappend("blah_999ars_blah_blah", "blah_blah_999cha_blah", "9996ch_blah_blah_blah", "blah_blah_blah_999har") | mvexpand field ``` data emulation above ```