Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting field with different type of data

niks987
Explorer
‎10-20-2021 12:22 AM

Hi All,

Hope you all are doing good.

I am trying to extract a field which the different types of data. I want to extract the reference number.

DATA:-

0561170-0443 :- 0561170 this is reference number
0213_DFS_201021004 :- 201021004 this is reference number
0159_1606766A_191021016 :- 1606766A this is reference number

Can you please let me know how i can achieve this, i tried rex but it wont work. Is there any other way to do it?

 

Thanks in advance 🙂

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-20-2021 02:10 AM

You could use two rex

| rex "(_[A-Za-z]+_|\d+_)(?<number>\d+[A-Za-z]?)"
| rex "(?<number>\d+)-"
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-20-2021 02:00 AM

Could you be more precise about what part you're trying to extract from this sample?

And what are the conditions regarding where this identifier can/should be.

0 Karma
Reply

niks987
Explorer
‎10-20-2021 02:14 AM

Hi @PickleRick ,

We have a field named POREFERENCE in that we have three type of data 

0561170-0443 :- 0561170 this is reference number
0213_DFS_201021004 :- 201021004 this is reference number
0159_1606766A_191021016 :- 1606766A this is reference number

i want to extract the reference number from them.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-20-2021 02:47 AM

Ahh, I didn't notice that you pointed to a substring. My bad.

So I see that the format is in no way consistent and in no way the position is constant. I suppose it's bad luck. Unless you can describe precisely what/where the ID is, you won't be able to extract it automaticaly because how would splunk know what is and what isn't your ID?

Assuming that it must be a string of digits, how is splunk supposed to know that in your first example it's the first part (the one before the dash), in your second case - it's the one after two floor (_) signs and in the first case it's... not even a digit-only identifier.

Sorry, unless you can be more specific with those cases, it seems impossible.

 

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...