topic Re: Rex, Regex and Field Extraction Question in Splunk Search

Rex, Regex and Field Extraction Question

MHS — Tue, 24 Apr 2012 17:53:37 GMT

I know this is going to be something simple and probably the fact that I'm posting this will trigger something in my dome. But here goes:
Here is what my data looks like:
Apr 20 15:36:43 10.200.1.22 1794246290: Called Party Number i = 0x80, '12858'
Apr 20 15:36:42 10.200.1.22 1794246273: Called Party Number i = 0xA1, '314255####'
Note: #### is to redact for privacy

So I want to do a search line extract for anything between the ' '. My regex should look like this: '\d{5,10}'
when I put this line into spunk to extract that field I just get a blank for the field dialed number:
"Called Party Number i" | rex "'\d{5,10}'(?)"

Suggestions?

Re: Rex, Regex and Field Extraction Question

sowings — Tue, 24 Apr 2012 18:00:03 GMT

When using named field extractions, the field name goes inside (and before) before the matching group, like:

rex "'(?<dialednumber>\d{5,10})'"

Re: Rex, Regex and Field Extraction Question

cphair — Tue, 24 Apr 2012 18:19:35 GMT

@MHS, note that you also need a backslash before the d to make it match a digit. You also may need to escape (backslash) the single quotes, but I don't have data handy to test that.

Re: Rex, Regex and Field Extraction Question

sowings — Tue, 24 Apr 2012 18:45:39 GMT

Yeah, I forgot about double escaping my \'s.

Re: Rex, Regex and Field Extraction Question

MHS — Tue, 24 Apr 2012 20:11:14 GMT

Thanks for the response. That took care of it.