All Apps and Add-ons

Query for split or replace command to just fetch incident number from subject

priya0709
Path Finder

My query fetches ( recipient, time, subject) in table.  
However, my requirement is to split incident number ( INC00027697776) from subject and display it in another column named Incident??

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

please try the next

...
| rex "(?<wholeInc>INC\d+)"
| rex field=wholeInc "INC(?<incNum>\d+)"

r. Ismo 

View solution in original post

0 Karma

rnowitzki
Builder

Hi @priya0709 ,

Can you share an/some example(s) what the subject might look like?

BR
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma

priya0709
Path Finder

Below are 2 Eg of subject Line for which i need to split incident name and display in another column:—-

1.  INC000027679570 | <servername> | scom exchange 2k16: Failed to connect to computer

2.  Wo# 1197736/ INC00027697776/ please perform hardware diagnostic on <servername>

0 Karma

priya0709
Path Finder

How to use below query to separate servername which has different names eg:- 

WSINI601XASI01

WRDNA502XUSA05

WGBR601XGBR11

from below subject lines:—

1.  INC000027679570 | <servername> | scom exchange 2k16: Failed to connect to computer

2.  Wo# 1197736/ INC00027697776/ please perform hardware diagnostic on <servername>

0 Karma

rnowitzki
Builder

Hi @priya0709 ,

Well, there has to be something "unique" to identify them.

Do they always  start with a capital "W"?
Is there a min/max length of the string?
Are the subjects where they appear always look the same. You gave 2 examples, are there more possible subjects where they appear?

The following, simple RegEx would work if there are never no other words/strings that start with a capital "W" in the subject and if servername always has "W" as first character:

| rex field=subject "(?<servername>W\S+)"


You could make it more sensitive with adding words/characters that appear around the servername, if that is limited. Or you could specify a min and max length of the servername string.

Hope it helps.

BR
Ralph
--
Karma and/or Solution tagging appreciated.

--
Karma and/or Solution tagging appreciated.
Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

please try the next

...
| rex "(?<wholeInc>INC\d+)"
| rex field=wholeInc "INC(?<incNum>\d+)"

r. Ismo 

0 Karma

priya0709
Path Finder

Thank you so much

0 Karma

priya0709
Path Finder

Thank you for your reply!!

 

but i want to pull the incident name from subject field??

0 Karma

rnowitzki
Builder

Hi @priya0709 ,

That's what @isoutamo 's first command does. You can add the field if you like:

| rex field=subject "(?<wholeInc>INC\d+)"

 

The second command was just to strip the pure number (without "INC) from the whole Incidend ID.

BR
Ralph

 

--
Karma and/or Solution tagging appreciated.
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...