How would I extract account number here,
message:Receiving exp from: Long URL /Eex for account(s): 8768
rex field=_raw "Exposure for account(s):\s+(?[^,]+)"
It neither brings result nor error.
Your message sample says /Eex, your regex starts with "Exposure". Is that just a typo or so in your sample, otherwise that could be one of the issues.
Also:
(
character, you need to escape itTo keep it simple (you can enhance it if you need), something like this should work:
| rex field=_raw "account\(s\):\s+(?<account_number>\d+)"
See also: https://regex101.com/r/ELFlV3/1
Yes, its easy this
| makeresults
| eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 7293,7243BMKTL, 8987,5787JHR"
| rex field=_raw "Eex for account\(s\):\s+(?<accounts>.*)"
| makemv delim="," accounts
| mvexpand accounts
| rex field=accounts "(?\d+)"
that above won't help. As I'm extracting info from logs and we're limited here.
thus need to extract with rex
'| rex field=_raw "account(s):\s+(?\d+)"'
this is correct but it's taking only digit however my accounts are with numbers and digit. Also there is text after that too, which would like to eliminate and limit to accounts only.
| makeresults
| eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 7293,7243BMKTL, 8987,5787JHR"
| rex field=_raw "Eex for account(s):\s+(?
| makemv delim="," accounts
| mvexpand accounts
| rex field=accounts "(?\d+)"
Hello,
To take a multivalues, you can use makemv and mvexpand command:
| makeresults
| eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 7293,7243BMKTL, 8987,5787JHR"
| rex field=_raw "Eex for account\(s\):\s+(?<accounts>.*)"
| makemv delim="," accounts
| mvexpand accounts
If that'd work please accept the anwser to help another person with some problem
Hey,
What are doing it's correct you must juste add \ to ( like n\(s\), and add name of field extract like ?\<accounts\>
, for example:
| makeresults
| eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 8768"
| rex field=_raw "Eex for account\(s\):\s+(?<accounts>[^,]+)"
I'm actually trying to do this.
https://regex101.com/r/ELFlV3/1
I want to only take accounts. Don't want take any text after that.
It sounds like your event might have more data after the account number(s). Can you paste a full sample event, so that we can help you figure out how to extract all account numbers but not the text after the accounts?
You can test directly in Splunk, that take only number not texte, copie and past all the request in Search bar
@swetasoneji If your problem is resolved, please accept an answer to help future readers.
Your message sample says /Eex, your regex starts with "Exposure". Is that just a typo or so in your sample, otherwise that could be one of the issues.
Also:
(
character, you need to escape itTo keep it simple (you can enhance it if you need), something like this should work:
| rex field=_raw "account\(s\):\s+(?<account_number>\d+)"
See also: https://regex101.com/r/ELFlV3/1
Thanks a lot.
This worked | rex field=_raw "account(s):\s+(?\d+)"
But let's if I've multiple accounts here..7293,7243BMKTL, 8987,5787JHR
What do you want to do with multiple account numbers? Take the first one? Take them all and make it a multi value field?
how to make multi value field
https://regex101.com/r/ELFlV3/1
Don't want to take sample test run in my result:
Final result would be 8768,789JRH,789JRH,789JRH,7854JRH
@swetasoneji, following is a run anywhere search based on the sample data to fetch account.
| makeresults
| eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 8768"
| rex "\/Eex for account\(s\):\s(?<accounts>.*)"
Based on your data and partial rex seems like if there are multiple accounts they would be comma separated. Can you please add another sample for multiple accounts?
You can try the following run anywhere search if multiple accounts are comma separated.
| makeresults
| eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 8768.8851,8423"
| rex "\/Eex for account\(s\):\s(?<accounts>.*)"
| makemv accounts delim=","
| mvexpand accounts
Following is the like from regex101.com for you to test regular expression with your sample data and alsi understand how regular expression is working: https://regex101.com/r/m1dGQZ/1
While posting sample data or Code here on Splunk Answers you can click the code button which looks like 101010
, you can also try shortcut CTRL+K after highlighting the code/data, or in worst case press an enter before typing the code and add four spaces before every line of the code/data to enable code section. If you do not do the same special characters will get escaped.
@swetasoneji, have you tried the answer above with run anywhere example?
this doesn't fit with the search I'm using it.
https://regex101.com/r/ELFlV3/1
But don't want anything from sample test run.
Result should be:8768,789JRH,789JRH,789JRH,7854JRH
rex field=_raw "Eex for account(s):\s+(?[^,]+)"
Try using the code 101010
button or wrapping your rex command with backticks.