Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex involving the ""|" character

cindygibbs_08
Communicator
‎06-28-2021 07:09 PM

Hello Guys First let me please thank you for all the help I get from you guys... you people rock!!!!

I am trying to extract a code that is inside a string that reads as follows:

BOX="|autx_path\IUIUXX-8569545|"

I want to be able to extract the numbers at the end and also the first 3 characters to the left of the numbers so his would give me:  XX-8569545 as "XX-" are the 3 first characters on the left side of the numbers... is this even possible in splunk? thank you much for your help guys

Love,

Cindy

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 06:05 PM

@cindygibbs_08  can you try this? As you said field=HEAD, you can remove it to try if not working then it works directly on _raw.

index=<your_index> 
| rex field=HEAD "(?<inner_box>\w{2}\-\d+)\|"

  ---

An upvote would be appreciated and Accept solution if it helps!

View solution in original post

Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-28-2021 07:36 PM

Hi @cindygibbs_08 

Can you try this, Assuming your BOX field already being extracted.

index=<your_index> 
| rex field=BOX "(?<inner_box>\w{2}\-\d+\|$)"

If the BOX field already not being extracted you can try below works on _raw directly.  

index=<your_index>
| rex "(?<inner_box>\w{2}\-\d+\|\"$)"

 

---

An upvote would be Appreciated and Accept solution if it helps!

 

Tags (1)
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-28-2021 07:40 PM

@cindygibbs_08  extracted value being written to inner_box field.

Reply
Solved! Jump to solution

cindygibbs_08
Communicator
‎06-29-2021 10:00 AM

Hello @venkatasri  thank you so much you are such a sweetheart... I forgot to tell you that the pattern that I am trying to match is actually inside a comment...  that can have any sort of words but at some point will contain exactly the pattern that I wrote.. and because of this piece of info that I did not share the regex is not working for me I would be so thankful if you could let me know how to correct the regex to get the pattern from insede a comment

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 02:42 PM

@cindygibbs_08 can you share complete sample event having comment box etc?

Reply
Solved! Jump to solution

cindygibbs_08
Communicator
‎06-29-2021 05:59 PM

Hey @venkatasri  thank you for your help this means a lot to me... 

The field is call HEAD and it comes like this:

"American_lines_aws_@67-+)// code tab BOX="|autx_path\IUIUXX-8569545| train flight YUOO corp track none client OK AUTH 7382-2+78888"

 

i know it looks messy and in fact it can be a lot more complicated and it can have more letters or numbers but the only thing that is always consistent is the pattern "|autx_path\IUIUXX-8569545|"

0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 06:05 PM

@cindygibbs_08  can you try this? As you said field=HEAD, you can remove it to try if not working then it works directly on _raw.

index=<your_index> 
| rex field=HEAD "(?<inner_box>\w{2}\-\d+)\|"

  ---

An upvote would be appreciated and Accept solution if it helps!

Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...