Archive

Extracting a string of numbers from log file and tabulate the data

New Member

I am trying to extract a string of numbers (6-8 digits) within a string. each of the string extracted/detected will be a category of event ID. And I will need to tabulate the stat of these event IDs. What is a good way of doing it?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

try this:

index=<your_index> |rex  "(\d|\w)\d{3}_\d{3}01(?<EventId>\d{4})"

also, try this run anywhere search:

| makeresults 
| eval data="054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9,999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9" 
| makemv data delim="," 
| mvexpand data 
| rex field=data "(\d|\w)\d{3}_\d{3}01(?<EventId>\d{4})"

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

try this:

index=<your_index> |rex  "(\d|\w)\d{3}_\d{3}01(?<EventId>\d{4})"

also, try this run anywhere search:

| makeresults 
| eval data="054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9,999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9" 
| makemv data delim="," 
| mvexpand data 
| rex field=data "(\d|\w)\d{3}_\d{3}01(?<EventId>\d{4})"

View solution in original post

0 Karma

Esteemed Legend

Like this:

... | rex field=eventID "(?<myNumber>\d+)"
0 Karma

Revered Legend

The best method will depend upon the exact use case of yours. Please share some sample values, highlight what part you want to extract and what aggregation/reporting you want out of it. Sample expected output will help too.

0 Karma

New Member

for example, for the first event,
054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9, the event ID is the 43th -46th digits (4 digits) "2006" after xxxxx_xxx01

or for the second example,
999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9
the event ID is "3002" which is the 4 digits after xxxx_xxx01.

the event ID begins with 01.

0 Karma

SplunkTrust
SplunkTrust

best of extracting is regex. Please give us sample input.

0 Karma

New Member

here is the sample input:

054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9

or

999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9

trying to extract the eventID that is after _031*01XXXX*

0 Karma

SplunkTrust
SplunkTrust

okay, can you tell me whats the eventID? what to extract from both the events?

0 Karma

New Member

for example, for the first event,
054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9, the event ID is the 43th -46th digits (4 digits) "2006" after xxxxx_xxx01

or for the second example,
999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9
the event ID is "3002" which is the 4 digits after xxxx_xxx01.

the event ID begins with 01.

0 Karma