topic Re: Regular expression in Splunk Search

Regular expression

Navanitha — Tue, 12 May 2015 11:47:22 GMT

Hi,

Can someone help me in writing the regex for following string

20141128082428PAASSUB 00.?9CDPCI8I USER ACTION TITLE 295211P3055E464 01Q0009000054146746SAHEER SHAIK12
20141202054437PBSALAK 00.94_VCT90U Windows security event logs P43833244199105 02P8758878262824579SAI LAKSMII

I need to extract the last string and name it as user. eg: user=SAHEER SHAIK. Also extract the digit "P43833244" and name it as ID.

Re: Regular expression

krish3 — Tue, 12 May 2015 13:10:56 GMT

can you confirm these??

No space between these values and name 01Q0009000054146746SAHEER SHAIK12

Is ID you specified is off alphabet followed by 8 digits out of this P43833244199105

Re: Regular expression

Navanitha — Tue, 12 May 2015 13:19:16 GMT

There is no space between 01Q0009000054146746SAHEER SHAIK12
ID starts with alphabet P followed by 8 digits

Re: Regular expression

gfuente — Tue, 12 May 2015 13:27:07 GMT

Hello

Regex for ID:

P(?<ID>\d{8})

Regex for name:

(?<name>[^\d]*)\d*\s*$

Regards

Re: Regular expression

Navanitha — Tue, 12 May 2015 13:40:50 GMT

Hello,

Regex for name is working. Can you pls explain the expression for me.

And Regex for ID is not working. This is capturing first 8 digits of the string.

Thanks

Re: Regular expression

ConnorG — Tue, 12 May 2015 13:47:05 GMT

This should do:

(?<ID>P\d{8})

Re: Regular expression

gfuente — Tue, 12 May 2015 13:48:13 GMT

Updated,

The first regex was missing a P

The regex for the name works this way, goes to the end of the event, leaves out of the capturing group any spaces an numbers, and then captures everything backwards until the first digit is found

Regards

Re: Regular expression

Navanitha — Tue, 12 May 2015 13:56:51 GMT

Thank you for the explanation. Its clear now.

But ID regex is still not working.

Re: Regular expression

Navanitha — Tue, 12 May 2015 13:57:55 GMT

this is not working Connor..

Re: Regular expression

gfuente — Tue, 12 May 2015 14:06:27 GMT

Hello

The regex works for me, only for the second sample event. The first event has also letters, not just digits as you stated it should be:

ID starts with alphabet P followed by 8 digits

This sentence means this regex: P(?<ID>\d{8})

If you want to include also letters, you should give us additional constrains of the surroundind data to make it work for all cases. Maybe you can post additional sample events

Re: Regular expression

regexcracker — Mon, 28 Sep 2020 19:54:00 GMT

Please try this:

rex field=_raw (?<ID>Pw{8})w*s(?<First>w+)s(?<Last>w+$) | rex field=First w+d(?<First_Name>w+$) | table ID First_Name Last_Name

Re: Regular expression

regexcracker — Mon, 28 Sep 2020 19:54:02 GMT

Try this:

rex field=_raw (?<ID>P\w{8})\w*\s(?<First>\w+)\s(?<Last>\w+$) | rex field=First \w+\d(?<First_Name>\w+$) | table ID First_Name Last_Name