https://community.splunk.com/t5/Splunk-Search/Rex-16-digit-account-number-that-always-starts-with-8/m-p/163563#M46436 <P>I just needed to add one blank white space prior to the last "dash" and this fixed the extraction!<BR /> Thanks MuS!</P> Tue, 23 Jun 2015 17:44:18 GMT kmccowen 2015-06-23T17:44:18Z https://community.splunk.com/t5/Splunk-Search/Rex-16-digit-account-number-that-always-starts-with-8/m-p/163561#M46434 <P>I using the below REX but i'm getting unwanted values for another field that is not related to account number. </P> <PRE><CODE>REX: -\s(?&lt;acct&gt;\d{16}) </CODE></PRE> <P>Example Log:</P> <PRE><CODE>[2015-06-21T23:59:53.882-05:00] [gw_server6] [NOTIFICATION] [] [com.charter.customer.care.view.backing.banner.BannerFlowBean] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: cbrewster] [ecid: 8e4ec398-841d-45ad-9eb6-dec27a6d5b42-0004b72b,0] [APP: chtrgwy] 2015-06-21 23:59:53.882 - CTIPOP CALL RECEIVED - FGS - 8246100013000800- 8178750270 - 558795aa00000000ac10edf823300002 </CODE></PRE> <P>My extraction is pulling in a value of <CODE>5586441100000000</CODE> in some cases but in most cases i'm getting what I want which would be <CODE>8246100013000800</CODE> </P> <P>Valid account numbers should always start with the number "8" is there a way to add that logic into my existing Extraction for my Account number field?</P> Mon, 22 Jun 2015 18:35:31 GMT https://community.splunk.com/t5/Splunk-Search/Rex-16-digit-account-number-that-always-starts-with-8/m-p/163561#M46434 kmccowen 2015-06-22T18:35:31Z https://community.splunk.com/t5/Splunk-Search/Rex-16-digit-account-number-that-always-starts-with-8/m-p/163562#M46435 <P>Hi kmccowen,</P> <P>try something like this:</P> <PRE><CODE>your base search here | rex field=_raw "-\s(?&lt;acct&gt;\d{16})\s-" | table acct </CODE></PRE> <P>This will capture only 16 digits until the next <CODE>-</CODE> is found.</P> <P>Hope this helps...</P> <P>cheers, MuS</P> Tue, 23 Jun 2015 00:07:30 GMT https://community.splunk.com/t5/Splunk-Search/Rex-16-digit-account-number-that-always-starts-with-8/m-p/163562#M46435 MuS 2015-06-23T00:07:30Z https://community.splunk.com/t5/Splunk-Search/Rex-16-digit-account-number-that-always-starts-with-8/m-p/163563#M46436 <P>I just needed to add one blank white space prior to the last "dash" and this fixed the extraction!<BR /> Thanks MuS!</P> Tue, 23 Jun 2015 17:44:18 GMT https://community.splunk.com/t5/Splunk-Search/Rex-16-digit-account-number-that-always-starts-with-8/m-p/163563#M46436 kmccowen 2015-06-23T17:44:18Z https://community.splunk.com/t5/Splunk-Search/Rex-16-digit-account-number-that-always-starts-with-8/m-p/163564#M46437 <P>Final regex:</P> <PRE><CODE>your base search here | rex field=_raw "-\s(?&lt;acct&gt;\d{16})\s-" </CODE></PRE> Tue, 23 Jun 2015 17:46:42 GMT https://community.splunk.com/t5/Splunk-Search/Rex-16-digit-account-number-that-always-starts-with-8/m-p/163564#M46437 kmccowen 2015-06-23T17:46:42Z https://community.splunk.com/t5/Splunk-Search/Rex-16-digit-account-number-that-always-starts-with-8/m-p/163565#M46438 <P>need to add a white space "/s" prior to the final dash</P> Tue, 23 Jun 2015 19:48:02 GMT https://community.splunk.com/t5/Splunk-Search/Rex-16-digit-account-number-that-always-starts-with-8/m-p/163565#M46438 kmccowen 2015-06-23T19:48:02Z https://community.splunk.com/t5/Splunk-Search/Rex-16-digit-account-number-that-always-starts-with-8/m-p/163566#M46439 <P>thanks for the hint <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 23 Jun 2015 19:52:33 GMT https://community.splunk.com/t5/Splunk-Search/Rex-16-digit-account-number-that-always-starts-with-8/m-p/163566#M46439 MuS 2015-06-23T19:52:33Z