All Apps and Add-ons

Query for split or replace command to just fetch incident number from subject

priya0709
Path Finder

My query fetches ( recipient, time, subject) in table.  
However, my requirement is to split incident number ( INC00027697776) from subject and display it in another column named Incident??

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

please try the next

...
| rex "(?<wholeInc>INC\d+)"
| rex field=wholeInc "INC(?<incNum>\d+)"

r. Ismo 

View solution in original post

0 Karma

rnowitzki
Builder

Hi @priya0709 ,

Can you share an/some example(s) what the subject might look like?

BR
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma

priya0709
Path Finder

Below are 2 Eg of subject Line for which i need to split incident name and display in another column:—-

1.  INC000027679570 | <servername> | scom exchange 2k16: Failed to connect to computer

2.  Wo# 1197736/ INC00027697776/ please perform hardware diagnostic on <servername>

0 Karma

priya0709
Path Finder

How to use below query to separate servername which has different names eg:- 

WSINI601XASI01

WRDNA502XUSA05

WGBR601XGBR11

from below subject lines:—

1.  INC000027679570 | <servername> | scom exchange 2k16: Failed to connect to computer

2.  Wo# 1197736/ INC00027697776/ please perform hardware diagnostic on <servername>

0 Karma

rnowitzki
Builder

Hi @priya0709 ,

Well, there has to be something "unique" to identify them.

Do they always  start with a capital "W"?
Is there a min/max length of the string?
Are the subjects where they appear always look the same. You gave 2 examples, are there more possible subjects where they appear?

The following, simple RegEx would work if there are never no other words/strings that start with a capital "W" in the subject and if servername always has "W" as first character:

| rex field=subject "(?<servername>W\S+)"


You could make it more sensitive with adding words/characters that appear around the servername, if that is limited. Or you could specify a min and max length of the servername string.

Hope it helps.

BR
Ralph
--
Karma and/or Solution tagging appreciated.

--
Karma and/or Solution tagging appreciated.
Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

please try the next

...
| rex "(?<wholeInc>INC\d+)"
| rex field=wholeInc "INC(?<incNum>\d+)"

r. Ismo 

0 Karma

priya0709
Path Finder

Thank you so much

0 Karma

priya0709
Path Finder

Thank you for your reply!!

 

but i want to pull the incident name from subject field??

0 Karma

rnowitzki
Builder

Hi @priya0709 ,

That's what @isoutamo 's first command does. You can add the field if you like:

| rex field=subject "(?<wholeInc>INC\d+)"

 

The second command was just to strip the pure number (without "INC) from the whole Incidend ID.

BR
Ralph

 

--
Karma and/or Solution tagging appreciated.
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...