Reporting

Regex involving the ""|" character

cindygibbs_08
Communicator

Hello Guys First let me please thank you for all the help I get from you guys... you people rock!!!!

I am trying to extract a code that is inside a string that reads as follows:

BOX="|autx_path\IUIUXX-8569545|"

I want to be able to extract the numbers at the end and also the first 3 characters to the left of the numbers so his would give me:  XX-8569545 as "XX-" are the 3 first characters on the left side of the numbers... is this even possible in splunk? thank you much for your help guys

Love,

Cindy

Labels (1)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

@cindygibbs_08  can you try this? As you said field=HEAD, you can remove it to try if not working then it works directly on _raw.

index=<your_index> 
| rex field=HEAD "(?<inner_box>\w{2}\-\d+)\|"

  ---

An upvote would be appreciated and Accept solution if it helps!

View solution in original post

venkatasri
SplunkTrust
SplunkTrust

Hi @cindygibbs_08 

Can you try this, Assuming your BOX field already being extracted.

index=<your_index> 
| rex field=BOX "(?<inner_box>\w{2}\-\d+\|$)"

If the BOX field already not being extracted you can try below works on _raw directly.  

index=<your_index>
| rex "(?<inner_box>\w{2}\-\d+\|\"$)"

 

---

An upvote would be Appreciated and Accept solution if it helps!

 

Tags (1)

venkatasri
SplunkTrust
SplunkTrust

@cindygibbs_08  extracted value being written to inner_box field.

cindygibbs_08
Communicator

Hello @venkatasri  thank you so much you are such a sweetheart... I forgot to tell you that the pattern that I am trying to match is actually inside a comment...  that can have any sort of words but at some point will contain exactly the pattern that I wrote.. and because of this piece of info that I did not share the regex is not working for me I would be so thankful if you could let me know how to correct the regex to get the pattern from insede a comment

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@cindygibbs_08 can you share complete sample event having comment box etc?

cindygibbs_08
Communicator

Hey @venkatasri  thank you for your help this means a lot to me... 

The field is call HEAD and it comes like this:

"American_lines_aws_@67-+)// code tab BOX="|autx_path\IUIUXX-8569545| train flight YUOO corp track none client OK AUTH 7382-2+78888"

 

i know it looks messy and in fact it can be a lot more complicated and it can have more letters or numbers but the only thing that is always consistent is the pattern "|autx_path\IUIUXX-8569545|"

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@cindygibbs_08  can you try this? As you said field=HEAD, you can remove it to try if not working then it works directly on _raw.

index=<your_index> 
| rex field=HEAD "(?<inner_box>\w{2}\-\d+)\|"

  ---

An upvote would be appreciated and Accept solution if it helps!

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...