Hello,
I have produced a search result field which looks something along the lines of BC000000$@ab.firmakhueny.abc\ (I have obfuscated the data however they are the same category).
What I would like to create is a regex or something similar which may do the job better to remove all data before and after "000000" and to only present this field in the table created. To confirm I have replicated the original field and added in quotation marks presenting the data that we would like presented after the regex - BC"000000"$@ab.firmakhueny.abc\ .
Thank you for the support in adavance.
N.
To extract the numeric portion into a new field, this rex command should do the job.
... | rex field=foo "(?<newfield>\d+)" | ...
To replace the entire field with just the numeric portion, try this.
... | rex field=foo mode=sed "s/([^\d]+)(\d+)(.*)/\2/" | ...
To extract the numeric portion into a new field, this rex command should do the job.
... | rex field=foo "(?<newfield>\d+)" | ...
To replace the entire field with just the numeric portion, try this.
... | rex field=foo mode=sed "s/([^\d]+)(\d+)(.*)/\2/" | ...
Thank you for your response richgalloway. I have implemented the second rex command to replace the entire field with the six character numeric field from the initial search field however I am given this result "$2".
Thanks,
N
Ah, sorry about that. Regex101.com and Splunk use different substitution methods. I've corrected my answer.
Thanks that worked!