topic Re: Need help with RegEx in Splunk Search

Need help with RegEx

omuelle1 — Fri, 10 Feb 2017 13:50:43 GMT

Hi,

I am trying to extract a field in Splunk but the field extraction doesn't work and throws this error

"The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings."

Therefore I am trying to write the regex myself but I am not really good at regex, so I would you guys help.

I want to skip the first two number in this string and extract the upcoming 6:

0035373112473B    CC002017020809521700000001r200000432                                                                                            SYSTEM      201702081437521

So in this case I want my Field to contain 353731.

This is my current regex but I don't know how I can get it to skip the first two numbers.

(?<ITEM>\s*\s*K\^[0-9][0-9][0-9][0-9][0-9][0-9])

Thank you,

Oliver

Re: Need help with RegEx

hgrow — Fri, 10 Feb 2017 14:48:56 GMT

Hi there,

if your capturing group is already matching, you can just pull the first two digets (\d{2}) out of the capturing group.

just execute this as an example: | makeresults | eval test="0035373112473B" | rex field=test "\d{2}(?<ITEM>\d{6})"

Greetings

Edited the regex 🙂

Re: Need help with RegEx

esix_splunk — Fri, 10 Feb 2017 14:52:14 GMT

Based on your event in the above:

^\d{2}(?<mystring>\d{6})\w+

That looks at the beginning of the line, skips the first 2 digits, and captures the next 6 digits.

Check out this website : https://regex101.com/r/awrCuI/1

Re: Need help with RegEx

omuelle1 — Fri, 10 Feb 2017 14:59:38 GMT

Thank you guys, I will need to improve my regex skills since the Field Extractor barely works.

How would I modify the regex if there is white space after the 6 digits?

Like it doesn't match for this case:

00012220          *O082017020900024800000000q0025047000011000000009000000009000000001000000000000000000

Re: Need help with RegEx

hgrow — Fri, 10 Feb 2017 15:03:45 GMT

You should just be able to leave out esixs \w+ if im correct 🙂

In your case it should not matter what is coming after the first 6 digits --whitespaces or some characters since you will always want the digits right after the beginning of the line.

^\d{2}(?<mystring>\d{6})

Re: Need help with RegEx

esix_splunk — Fri, 10 Feb 2017 15:06:04 GMT

You can just use this..

 ^\w{2}(?<mystring>\d{6})

Here the \w denotes a word space, so all letters upper and lower, numbers, and spaces.. So this will catch events that start with numbers, letters, or spaces x 2

Re: Need help with RegEx

omuelle1 — Fri, 10 Feb 2017 15:31:29 GMT

Thank you guys!!

Re: Need help with RegEx

omuelle1 — Fri, 10 Feb 2017 19:34:21 GMT

Could you guys also help to me how get the *O (It can be any 2 characters) but always at that same position. I tried the same thing you guys told me, but the skipping doesn't work, I assume because there is space in between.

00012220         *O082017020900024800000000q0025047000011000000009000000009000000001000000000000000000

Re: Need help with RegEx

hgrow — Mon, 13 Feb 2017 07:39:36 GMT

^\w+\s+(?<field>.{2})might do it?

Re: Need help with RegEx

esix_splunk — Mon, 13 Feb 2017 09:00:00 GMT

You can try this...

(\s+|\w+)(?<digits>\d{7})\s+(?<next>\*\w)\w+

This assumes the Patter is also **O*, that is asterisks + Letter.

Re: Need help with RegEx

omuelle1 — Mon, 13 Feb 2017 14:49:34 GMT

Both worked for me, thank you guys!