All Apps and Add-ons

Query for split or replace command to just fetch incident number from subject

priya0709
Path Finder

My query fetches ( recipient, time, subject) in table.  
However, my requirement is to split incident number ( INC00027697776) from subject and display it in another column named Incident??

Labels (1)
0 Karma
1 Solution

soutamo
SplunkTrust
SplunkTrust

Hi

please try the next

...
| rex "(?<wholeInc>INC\d+)"
| rex field=wholeInc "INC(?<incNum>\d+)"

r. Ismo 

View solution in original post

0 Karma

rnowitzki
Builder

Hi @priya0709 ,

Can you share an/some example(s) what the subject might look like?

BR
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma

priya0709
Path Finder

Below are 2 Eg of subject Line for which i need to split incident name and display in another column:—-

1.  INC000027679570 | <servername> | scom exchange 2k16: Failed to connect to computer

2.  Wo# 1197736/ INC00027697776/ please perform hardware diagnostic on <servername>

0 Karma

priya0709
Path Finder

How to use below query to separate servername which has different names eg:- 

WSINI601XASI01

WRDNA502XUSA05

WGBR601XGBR11

from below subject lines:—

1.  INC000027679570 | <servername> | scom exchange 2k16: Failed to connect to computer

2.  Wo# 1197736/ INC00027697776/ please perform hardware diagnostic on <servername>

0 Karma

rnowitzki
Builder

Hi @priya0709 ,

Well, there has to be something "unique" to identify them.

Do they always  start with a capital "W"?
Is there a min/max length of the string?
Are the subjects where they appear always look the same. You gave 2 examples, are there more possible subjects where they appear?

The following, simple RegEx would work if there are never no other words/strings that start with a capital "W" in the subject and if servername always has "W" as first character:

| rex field=subject "(?<servername>W\S+)"


You could make it more sensitive with adding words/characters that appear around the servername, if that is limited. Or you could specify a min and max length of the servername string.

Hope it helps.

BR
Ralph
--
Karma and/or Solution tagging appreciated.

--
Karma and/or Solution tagging appreciated.
Tags (1)
0 Karma

soutamo
SplunkTrust
SplunkTrust

Hi

please try the next

...
| rex "(?<wholeInc>INC\d+)"
| rex field=wholeInc "INC(?<incNum>\d+)"

r. Ismo 

View solution in original post

0 Karma

priya0709
Path Finder

Thank you so much

0 Karma

priya0709
Path Finder

Thank you for your reply!!

 

but i want to pull the incident name from subject field??

0 Karma

rnowitzki
Builder

Hi @priya0709 ,

That's what @soutamo 's first command does. You can add the field if you like:

| rex field=subject "(?<wholeInc>INC\d+)"

 

The second command was just to strip the pure number (without "INC) from the whole Incidend ID.

BR
Ralph

 

--
Karma and/or Solution tagging appreciated.
0 Karma