topic How to extract two strings from my sample data and concatenate them as one field value? in Splunk Search

How to extract two strings from my sample data and concatenate them as one field value?

IRHM73 — Mon, 11 Apr 2016 14:38:49 GMT

Hi,

I wonder whether someone may be able to help me please.

I'm trying to extract the "1234567/123" from the string below, but I'd like the final output to be "1234567123".

"/for/1234567/123/AB1+2BC

I did come up with the following "\/for\/(?<refno>[^\/]+)\/(?<refno2>[^\/]+)\/, but I wasn't sure about how to join the "refno" and refno2". I also wasn't sure if there was a more elegant way of doing this.

I just wondered whether someone could possibly look at this please and offer some guidance on how I may go about achieving this.

Many thanks and kind regards

Chris

Re: How to extract two strings from my sample data and concatenate them as one field value?

richgalloway — Mon, 11 Apr 2016 15:05:58 GMT

If you're doing this in a search query you can join the fields using eval.

... | rex "\/for\/(?<refno>[^\/]+)\/(?<refno2>[^\/]+)\/" | eval refno=refno . refno2 | ...

Re: How to extract two strings from my sample data and concatenate them as one field value?

javiergn — Mon, 11 Apr 2016 15:08:53 GMT

Try this (without the first two lines I've used for testing of course):

| stats count
| eval _raw = "/for/1234567/123/AB1+2BC"
| rex max_match=0 "(?<mynum>\d+)\/"
| eval mynum = mvjoin(mynum,"")

Re: How to extract two strings from my sample data and concatenate them as one field value?

somesoni2 — Mon, 11 Apr 2016 15:09:31 GMT

If you're extracting this refno from an existing field (say source), then try something like this

your base search | eval refno=replace(source,"\/for\/([^\/]+)\/([^\/]+)\/","\1\2")

Re: How to extract two strings from my sample data and concatenate them as one field value?

nravichandran — Mon, 11 Apr 2016 18:50:13 GMT

just use | STRCAT refno refno2 NewRef | table NewRef

Re: How to extract two strings from my sample data and concatenate them as one field value?

woodcock — Tue, 12 Apr 2016 05:39:34 GMT

Assuming you have this string in a field called reference, which can be simulated like this:

|stats count|eval reference = "/for/1234567/123/AB1+2BC"

Then you can do it like this:

| eval refno=reference
| rex field=refno mode=sed "s%/[^/]+/([^/]+)/([^/]+).*%\1\2%"

Re: How to extract two strings from my sample data and concatenate them as one field value?

IRHM73 — Tue, 12 Apr 2016 05:56:03 GMT

Hi @javiergn, thank you for coming back to me with this.

I was able to extract the data which was great, but when it came the join, it repeated the number in the field.

Many thanks and kind regards

Chris

Re: How to extract two strings from my sample data and concatenate them as one field value?

IRHM73 — Tue, 12 Apr 2016 05:59:06 GMT

Hi @somesoni2, thank you for coming back to me with this.

Unfortunately I wasn't able to use this because I needed to extract the information from the raw data. When I used '_raw' as the replacement to 'source', this didn't extract the information, so I assumed the field where the regex is extracting the data from must be a definitive field.

Kind Regards

Chris

Re: How to extract two strings from my sample data and concatenate them as one field value?

IRHM73 — Tue, 12 Apr 2016 06:00:35 GMT

Hi @richgalloway, thank you for taking the time to reply and for the solution which works great. Just pipped to the post by @nravichandran

Kind Regads

Chris

Re: How to extract two strings from my sample data and concatenate them as one field value?

IRHM73 — Tue, 12 Apr 2016 06:01:17 GMT

Hi, thank you for taking the time to reply to my post.

The solution is great.

Kind Regards

Chris