Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter for a specific pattern with wild card?

aamer4zangi
Path Finder
‎04-05-2018 02:25 PM

Hi,

In excel you can custom filter the cells using a wild card with a question mark.
For example, if I want to filter following data I will write AB??-
AB22- , AB43-, AB03-

Are these searches possible in Splunk? If I write AB*- , it will match AB1233-, ABw-, AB22222222-.

I want specifically 2 characters between AB and -

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎04-05-2018 10:56 PM

Try this run anywhere search

| makeresults | eval raw="AB22-,AB43-,AB03-,AB1233-,ABw-,AB22222222-"| makemv raw delim="," | mvexpand raw| rex field=raw "(?<newfield>AB\d{2}-)"| search newfield=*

In your environment, you should write

<your  base search >| rex field=_raw "(?<newfield>AB\d{2}-)"| search newfield=*

If these are getting capture in a specific field the write field=<your_field> in rex command or else _raw.

let me know if this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎04-05-2018 10:56 PM

Try this run anywhere search

| makeresults | eval raw="AB22-,AB43-,AB03-,AB1233-,ABw-,AB22222222-"| makemv raw delim="," | mvexpand raw| rex field=raw "(?<newfield>AB\d{2}-)"| search newfield=*

In your environment, you should write

<your  base search >| rex field=_raw "(?<newfield>AB\d{2}-)"| search newfield=*

If these are getting capture in a specific field the write field=<your_field> in rex command or else _raw.

let me know if this helps!

Reply
Solved! Jump to solution

aamer4zangi
Path Finder
‎04-06-2018 08:58 AM

Thanks for the reply.
I must confess I am encountering makeresults for the first time, so trying to wrap my head around the search cmd.

AB22-,AB43-,AB03-,AB1233-,ABw-,AB22222222- is not my raw data, it was just an example. The cells contain data with a pattern of ABXX- and I want to filter only those records in a specific column which follow that specific pattern.

I did come across filter option when converting data into Data Table. However, still no success.

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎04-06-2018 09:01 AM

did you try this?

index=<your_index>| rex field=_raw "(?<newfield>AB\d{2}-)"| search newfield=*

can you share sample raw events so that I can give you appropriate regex?

Reply
Solved! Jump to solution

aamer4zangi
Path Finder
‎04-06-2018 09:16 AM

There are thousands of lines, just sampling few lines. This data is coming from comments people write for specific hardware and is not generated by a machine. Thus, it is highly random. The raw data is as follows. Additionally this data is present in a specific column.

After the search the first 6 rows should be the final result.

1 1401812.AQWEAB02-TCPL02.1G
2 1356292.QWERAB04-ANCA02
3 1234OAB05-PLAIN02 reserved ||
4 1405252.AB07-SBCC01
5 1409325-ARDRAB05-GENIV02.22
6 1304030.ARDRAB07-TECEL02.10333
7 1389621.ABFDBC01-COGDS02333
8 1349222.ABFDBC01-MOH29.5MJJ
9 1313513.ABFDBC01-BPRSS
10 1393599.ABFDBC01-WGELP
11 1375957.ABFDBC01-BREQL01.0M222
12 1332348.ABFDBC01-MANNG01.10M1WW1

13 1321017.ABFDBC01-BLJCW01.3MQQ

Moreover, it is not only AB??- that I would be searching for, there are other criteria as well but I guess if we can get one criteria down then others should follow the same pattern.

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎04-06-2018 09:36 AM

yes so I have given the correct regex
what is the result of this search?

 index=<your_index>| rex field=_raw "(?<newfield>AB\d{2}-)"| search newfield=*

I have already given you the solution.
See my workaround here. it is exactly matching first 6 events. above search will return only events with AB??-.
https://regex101.com/r/7b6mTh/1

Reply
Solved! Jump to solution

mayurr98
Super Champion
‎04-06-2018 09:39 AM

If you deem a posted answer as valid and helpful to your solving of the issue, please accept said answer so that this question no longer appears open.

0 Karma
Reply
Solved! Jump to solution

aamer4zangi
Path Finder
‎04-06-2018 09:57 AM

Thanks a lot mate. Yes, it worked as wanted. In the end if I want to add BC??- to AB??- how should I add these two.

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎04-06-2018 10:07 AM

do you mean (AB OR BC)??-?
then try this 

(?<newfield>((AB)|(BC))\d{2}-)
Reply
Solved! Jump to solution

aamer4zangi
Path Finder
‎04-06-2018 10:18 AM

Thanks again...yes. It did the trick.

Moreover, regex101.com is a great tool.

Reply
Solved! Jump to solution

mayurr98
Super Champion
‎04-06-2018 08:55 AM

did you try this?

0 Karma
Reply
Solved! Jump to solution

sravankaripe
Communicator
‎04-05-2018 03:23 PM

write add below rex to your query

| rex "AB(?\d\d)-" | eval myfield="AB".myfield | search myfield=*

please let me know if its works?

0 Karma
Reply
Solved! Jump to solution

aamer4zangi
Path Finder
‎04-06-2018 08:44 AM

Thanks in advance. I got the following error.

Error in 'rex' command: Encountered the following error while compiling the regex 'AB(?\d\d)-': Regex: unrecognized character after (? or (?-

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...