Reporting
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex involving the ""|" character

cindygibbs_08
Communicator
‎06-28-2021 07:09 PM

Hello Guys First let me please thank you for all the help I get from you guys... you people rock!!!!

I am trying to extract a code that is inside a string that reads as follows:

BOX="|autx_path\IUIUXX-8569545|"

I want to be able to extract the numbers at the end and also the first 3 characters to the left of the numbers so his would give me:  XX-8569545 as "XX-" are the 3 first characters on the left side of the numbers... is this even possible in splunk? thank you much for your help guys

Love,

Cindy

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 06:05 PM

@cindygibbs_08  can you try this? As you said field=HEAD, you can remove it to try if not working then it works directly on _raw.

index=<your_index> 
| rex field=HEAD "(?<inner_box>\w{2}\-\d+)\|"

  ---

An upvote would be appreciated and Accept solution if it helps!

View solution in original post

Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-28-2021 07:36 PM

Hi @cindygibbs_08 

Can you try this, Assuming your BOX field already being extracted.

index=<your_index> 
| rex field=BOX "(?<inner_box>\w{2}\-\d+\|$)"

If the BOX field already not being extracted you can try below works on _raw directly.  

index=<your_index>
| rex "(?<inner_box>\w{2}\-\d+\|\"$)"

 

---

An upvote would be Appreciated and Accept solution if it helps!

 

Tags (1)
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-28-2021 07:40 PM

@cindygibbs_08  extracted value being written to inner_box field.

Reply
Solved! Jump to solution

cindygibbs_08
Communicator
‎06-29-2021 10:00 AM

Hello @venkatasri  thank you so much you are such a sweetheart... I forgot to tell you that the pattern that I am trying to match is actually inside a comment...  that can have any sort of words but at some point will contain exactly the pattern that I wrote.. and because of this piece of info that I did not share the regex is not working for me I would be so thankful if you could let me know how to correct the regex to get the pattern from insede a comment

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 02:42 PM

@cindygibbs_08 can you share complete sample event having comment box etc?

Reply
Solved! Jump to solution

cindygibbs_08
Communicator
‎06-29-2021 05:59 PM

Hey @venkatasri  thank you for your help this means a lot to me... 

The field is call HEAD and it comes like this:

"American_lines_aws_@67-+)// code tab BOX="|autx_path\IUIUXX-8569545| train flight YUOO corp track none client OK AUTH 7382-2+78888"

 

i know it looks messy and in fact it can be a lot more complicated and it can have more letters or numbers but the only thing that is always consistent is the pattern "|autx_path\IUIUXX-8569545|"

0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 06:05 PM

@cindygibbs_08  can you try this? As you said field=HEAD, you can remove it to try if not working then it works directly on _raw.

index=<your_index> 
| rex field=HEAD "(?<inner_box>\w{2}\-\d+)\|"

  ---

An upvote would be appreciated and Accept solution if it helps!

Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top