Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to capture 2 slightly different pattern of strings through regex and make it one field

ms208a
Explorer
‎05-15-2018 10:49 PM

Hello All ,
i wanted to capture the numeric values for below strings ctn.
CTN captured into 2 different formats.
First "ctn": "2148504794" - it has space between ":" and numeric values
Second ctn":"2148504794" - it doesn't have space between ":" and numeric values
like
"ctnId":279,"ctn":"2148504794",
processDMaaPMessage {"device": [{"ctn": "2148504794","status": "Restored"}]}}

i am using this rex
rex "ctn\"[:|: ] \"(?\d+)\","

but it seems it didn't work

please suggest a fix

Tags (1)
Reply

mayurr98
Super Champion
‎05-16-2018 03:35 AM

Try this run anywhere search

| makeresults 
| eval data="\"ctn\": \"2148504794\"" 
| append 
    [| makeresults 
    | eval data="ctn\":\"2148504794\""] 
| rex field=data "ctn\":(|\s+)\"(?<ctn>[^\"]+)"

In your environment you should try,

<your base search>| rex field=_raw "ctn\":(|\s+)\"(?<ctn>[^\"]+)"

let me know if this helps!

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-16-2018 03:57 AM

Also, you might want to start using a service like regex101.com. It would've shown you that your regex has invalid syntax. 🙂

0 Karma
Reply

ms208a
Explorer
‎05-16-2018 12:03 PM

Thanks Mayur, it works 🙂

i am trying to capture below reasonMessage also, but it capture
the colon with space only like "reasonMessage": "Uplift transaction failed due to SWC system error"}]}}*

i wanted to capture below strings as well.
"reasonMessage": "Uplift transaction failed due to SWC system error"}]}}

Thanks alot for your time and inputs.

0 Karma
Reply

mayurr98
Super Champion
‎05-22-2018 10:40 PM

Try this regex \"reasonMessage\"\:\s\"(?<reasonMessage>[^\"]+)

0 Karma
Reply

ms208a
Explorer
‎06-04-2018 04:54 PM

You rocks Mayur. Thanks again

0 Karma
Reply

niketn
Legend
‎06-04-2018 10:14 PM

@ms208a, if your issue is resolved, please accept the answer to mark this question as answered and help others facing similar issue in future.

Do up vote the comment/s that helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...