Splunk Search

Concatenate onto Regex

edschembor
Path Finder

I'm trying to concatenate something onto one of my regex's.

ie:

index=eph | rex "EPH(?P<EPHID>\d+)" | table EPHID, _raw

I want the EPHID regex to be EPH902834091 instead of just 902834091. So even though the regex is "EPH(?P\d+)", I want the "EPH" at the beginning included. Is there a way to do this?

Thanks!!!

1 Solution

aweitzman
Motivator

Why not just include it in the group?

rex "(?<EPHID>EPH\d+)"

View solution in original post

Ayn
Legend

Just include the EPH in the matching group.

index=eph | rex "(?<EPHID>EPH\d+)" | table EPHID, _raw

aweitzman
Motivator

Why not just include it in the group?

rex "(?<EPHID>EPH\d+)"

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...