Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex to extract quoted text aftera stats command

cindygibbs_08
Communicator
‎06-22-2021 03:30 PM

I hope everyone is having a great time today,
I am here to first thank you guys for being so helpful and assertive! you people rock! and second to ask for assistance regarding a regular expression.
I have a field that will contain a string that will start by "check-in unavailable due to external cause the ref code is ##AIUI- 989 K-IOJ##"
I want to be able to extract the string that is between the "##"  but... sometimes this field may have a string that starts by "the auth was..." I want to be able to extract any string   between two "#" whenever the value of the field starts with  "check-in unavailable due to external cause the ref code is"  

 

for example
 if I have this:

FIELDCODE
"check-in unavailable due to external cause the ref code is ##AIUI- 989 K-IOJ##AIUI- 989 K-IOJ
"the auth was denied code ## uik-55855##"N.A

 

thank you guys SO MUCH

 

Kindy,

Cindy

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-22-2021 04:12 PM 
| makeresults 
| eval _raw="check-in unavailable due to external cause the ref code is ##AIUI- 989 K-IOJ##
the auth was denied code ## uik-55855##"
| multikv noheader=t
| fields _raw
| rex "check-in unavailable due to external cause the ref code is ##(?<code>[^#]+)##"

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-22-2021 04:12 PM 
| makeresults 
| eval _raw="check-in unavailable due to external cause the ref code is ##AIUI- 989 K-IOJ##
the auth was denied code ## uik-55855##"
| multikv noheader=t
| fields _raw
| rex "check-in unavailable due to external cause the ref code is ##(?<code>[^#]+)##"
Reply
Solved! Jump to solution

cindygibbs_08
Communicator
‎06-22-2021 06:15 PM

I have a question what would the rex function will look like if instead of two "#" the coude would come inside two "*"  like this :  **UID J- DIDD**, I would just change the "#" by "*"??

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-23-2021 12:34 AM

Asterisks "*" have special meaning in regex so each would need to be escaped with a backslash "\"

| makeresults 
| eval _raw="check-in unavailable due to external cause the ref code is **AIUI- 989 K-IOJ**
the auth was denied code ** uik-55855**"
| multikv noheader=t
| fields _raw
| rex "check-in unavailable due to external cause the ref code is \*\*(?<code>[^\*]+)\*\*"

 

0 Karma
Reply
Solved! Jump to solution

cindygibbs_08
Communicator
‎06-22-2021 06:02 PM

@ITWhisperer  I am in love with you

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-23-2021 12:29 AM

Thanks Cindy ❤️😁

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...