Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex to extract quoted text aftera stats command

cindygibbs_08
Communicator
‎06-22-2021 03:30 PM

I hope everyone is having a great time today,
I am here to first thank you guys for being so helpful and assertive! you people rock! and second to ask for assistance regarding a regular expression.
I have a field that will contain a string that will start by "check-in unavailable due to external cause the ref code is ##AIUI- 989 K-IOJ##"
I want to be able to extract the string that is between the "##"  but... sometimes this field may have a string that starts by "the auth was..." I want to be able to extract any string   between two "#" whenever the value of the field starts with  "check-in unavailable due to external cause the ref code is"  

 

for example
 if I have this:

FIELDCODE
"check-in unavailable due to external cause the ref code is ##AIUI- 989 K-IOJ##AIUI- 989 K-IOJ
"the auth was denied code ## uik-55855##"N.A

 

thank you guys SO MUCH

 

Kindy,

Cindy

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-22-2021 04:12 PM 
| makeresults 
| eval _raw="check-in unavailable due to external cause the ref code is ##AIUI- 989 K-IOJ##
the auth was denied code ## uik-55855##"
| multikv noheader=t
| fields _raw
| rex "check-in unavailable due to external cause the ref code is ##(?<code>[^#]+)##"

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-22-2021 04:12 PM 
| makeresults 
| eval _raw="check-in unavailable due to external cause the ref code is ##AIUI- 989 K-IOJ##
the auth was denied code ## uik-55855##"
| multikv noheader=t
| fields _raw
| rex "check-in unavailable due to external cause the ref code is ##(?<code>[^#]+)##"
Reply
Solved! Jump to solution

cindygibbs_08
Communicator
‎06-22-2021 06:15 PM

I have a question what would the rex function will look like if instead of two "#" the coude would come inside two "*"  like this :  **UID J- DIDD**, I would just change the "#" by "*"??

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-23-2021 12:34 AM

Asterisks "*" have special meaning in regex so each would need to be escaped with a backslash "\"

| makeresults 
| eval _raw="check-in unavailable due to external cause the ref code is **AIUI- 989 K-IOJ**
the auth was denied code ** uik-55855**"
| multikv noheader=t
| fields _raw
| rex "check-in unavailable due to external cause the ref code is \*\*(?<code>[^\*]+)\*\*"

 

0 Karma
Reply
Solved! Jump to solution

cindygibbs_08
Communicator
‎06-22-2021 06:02 PM

@ITWhisperer  I am in love with you

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-23-2021 12:29 AM

Thanks Cindy ❤️😁

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...