Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex involving the ""|" character

cindygibbs_08
Communicator
‎06-28-2021 07:09 PM

Hello Guys First let me please thank you for all the help I get from you guys... you people rock!!!!

I am trying to extract a code that is inside a string that reads as follows:

BOX="|autx_path\IUIUXX-8569545|"

I want to be able to extract the numbers at the end and also the first 3 characters to the left of the numbers so his would give me:  XX-8569545 as "XX-" are the 3 first characters on the left side of the numbers... is this even possible in splunk? thank you much for your help guys

Love,

Cindy

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 06:05 PM

@cindygibbs_08  can you try this? As you said field=HEAD, you can remove it to try if not working then it works directly on _raw.

index=<your_index> 
| rex field=HEAD "(?<inner_box>\w{2}\-\d+)\|"

  ---

An upvote would be appreciated and Accept solution if it helps!

View solution in original post

Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-28-2021 07:36 PM

Hi @cindygibbs_08 

Can you try this, Assuming your BOX field already being extracted.

index=<your_index> 
| rex field=BOX "(?<inner_box>\w{2}\-\d+\|$)"

If the BOX field already not being extracted you can try below works on _raw directly.  

index=<your_index>
| rex "(?<inner_box>\w{2}\-\d+\|\"$)"

 

---

An upvote would be Appreciated and Accept solution if it helps!

 

Tags (1)
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-28-2021 07:40 PM

@cindygibbs_08  extracted value being written to inner_box field.

Reply
Solved! Jump to solution

cindygibbs_08
Communicator
‎06-29-2021 10:00 AM

Hello @venkatasri  thank you so much you are such a sweetheart... I forgot to tell you that the pattern that I am trying to match is actually inside a comment...  that can have any sort of words but at some point will contain exactly the pattern that I wrote.. and because of this piece of info that I did not share the regex is not working for me I would be so thankful if you could let me know how to correct the regex to get the pattern from insede a comment

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 02:42 PM

@cindygibbs_08 can you share complete sample event having comment box etc?

Reply
Solved! Jump to solution

cindygibbs_08
Communicator
‎06-29-2021 05:59 PM

Hey @venkatasri  thank you for your help this means a lot to me... 

The field is call HEAD and it comes like this:

"American_lines_aws_@67-+)// code tab BOX="|autx_path\IUIUXX-8569545| train flight YUOO corp track none client OK AUTH 7382-2+78888"

 

i know it looks messy and in fact it can be a lot more complicated and it can have more letters or numbers but the only thing that is always consistent is the pattern "|autx_path\IUIUXX-8569545|"

0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 06:05 PM

@cindygibbs_08  can you try this? As you said field=HEAD, you can remove it to try if not working then it works directly on _raw.

index=<your_index> 
| rex field=HEAD "(?<inner_box>\w{2}\-\d+)\|"

  ---

An upvote would be appreciated and Accept solution if it helps!

Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...