All Apps and Add-ons

Query for split or replace command to just fetch incident number from subject

priya0709
Path Finder

My query fetches ( recipient, time, subject) in table.  
However, my requirement is to split incident number ( INC00027697776) from subject and display it in another column named Incident??

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

please try the next

...
| rex "(?<wholeInc>INC\d+)"
| rex field=wholeInc "INC(?<incNum>\d+)"

r. Ismo 

View solution in original post

0 Karma

rnowitzki
Builder

Hi @priya0709 ,

Can you share an/some example(s) what the subject might look like?

BR
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma

priya0709
Path Finder

Below are 2 Eg of subject Line for which i need to split incident name and display in another column:—-

1.  INC000027679570 | <servername> | scom exchange 2k16: Failed to connect to computer

2.  Wo# 1197736/ INC00027697776/ please perform hardware diagnostic on <servername>

0 Karma

priya0709
Path Finder

How to use below query to separate servername which has different names eg:- 

WSINI601XASI01

WRDNA502XUSA05

WGBR601XGBR11

from below subject lines:—

1.  INC000027679570 | <servername> | scom exchange 2k16: Failed to connect to computer

2.  Wo# 1197736/ INC00027697776/ please perform hardware diagnostic on <servername>

0 Karma

rnowitzki
Builder

Hi @priya0709 ,

Well, there has to be something "unique" to identify them.

Do they always  start with a capital "W"?
Is there a min/max length of the string?
Are the subjects where they appear always look the same. You gave 2 examples, are there more possible subjects where they appear?

The following, simple RegEx would work if there are never no other words/strings that start with a capital "W" in the subject and if servername always has "W" as first character:

| rex field=subject "(?<servername>W\S+)"


You could make it more sensitive with adding words/characters that appear around the servername, if that is limited. Or you could specify a min and max length of the servername string.

Hope it helps.

BR
Ralph
--
Karma and/or Solution tagging appreciated.

--
Karma and/or Solution tagging appreciated.
Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

please try the next

...
| rex "(?<wholeInc>INC\d+)"
| rex field=wholeInc "INC(?<incNum>\d+)"

r. Ismo 

0 Karma

priya0709
Path Finder

Thank you so much

0 Karma

priya0709
Path Finder

Thank you for your reply!!

 

but i want to pull the incident name from subject field??

0 Karma

rnowitzki
Builder

Hi @priya0709 ,

That's what @isoutamo 's first command does. You can add the field if you like:

| rex field=subject "(?<wholeInc>INC\d+)"

 

The second command was just to strip the pure number (without "INC) from the whole Incidend ID.

BR
Ralph

 

--
Karma and/or Solution tagging appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...