Solved: Re: create a field from regex

omershira · ‎12-15-2020

Hello,

From my system I recive number of events, some of them contain a value of the letter 'c' and then 7 digits like so: 'c5426987'. I want to create a field by the name user_id that will contain that value.

I tried to use extract field and mark the value I was searching for but it got only some of the results and not all of them, the thing is that the value shows up in different ways like:

- name:c1234567

-somedata/c1234567

- login by c1234567

and I can't find a way to get them all...

I tested a regex in a website that examines regexes and it did extract what I was searching for. the regex I tested was: "/c[/d]{7}/g" and it gave the wanted results on the website.

I tried using both rex and regex commands and they didnt seem to work...

can you please help me to find the way to create the field "user_id" using that regex?

thanks!

omer shira

richgalloway · ‎12-15-2020

Try this

your search
| rex "(?<user_id>c\d{7})"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-15-2020

Try this

your search
| rex "(?<user_id>c\d{7})"

---
If this reply helps you, Karma would be appreciated.

omershira · ‎12-20-2020

Yay! that's worked!

create a field from regex

administration

Analytics Workspace

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...