Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is regex for below?

karu0711
Communicator
‎03-20-2023 12:37 PM

FW: [ DOC 45 ] DTP: DEMO XXX CCC | 20147
I want to extract number after pie as field name "data".  what is the regex?

Tags (1)
0 Karma
Reply

manjunathmeti
Champion
‎03-20-2023 08:06 PM

You can check this and get to know how the data is extracted.
https://regex101.com/r/dECVmS/1 

0 Karma
Reply

The_Data_Pirate
Splunk Employee
Splunk Employee
‎03-20-2023 02:08 PM

Hi Karu, this should work by taking the raw data and only selecting the digits after the pipe character. The space after the pipe is ignored before the digits are placed into a new field named data.

| rex field=_raw "\|\s(?<data>\d*)"

 

Reply

karu0711
Communicator
‎03-21-2023 07:18 AM

FW: [ DOC 45 ] DTP: DEMO XXX CCC | 20147

I also need to separate [ DOC 45] as category 
DTP as type 

demo xxx ccc as call

 

0 Karma
Reply

The_Data_Pirate
Splunk Employee
Splunk Employee
‎03-21-2023 03:44 PM

as long as the data structure doesn't change too much this should work.

 

| rex field=_raw ".*\[\s(?<category>.*)\s\]\s(?<type>\w*).*\|\s(?<data>\d*)"
Reply

somesoni2
Revered Legend
‎03-20-2023 01:54 PM

Give this a try

\|(?<data>\d+)
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top