Extract string from text based on character positi...

kharlow · ‎07-25-2018

Hi,
I’m looking to extract a numerical value from a string, however struggling as there is nothing to use as a delimiter

I tried using this however it doesn’t work

 (\s){11}(8<field>\s)

Example:

foo-1a-barr12345678-aa11
foo-2b-baar87654321-bb22
foo-2c-bbar18273645-aa12

I wish to extract the number starting from char 12 to 20:
12345678
87654321
18273645

niketn · ‎07-25-2018

@kharlow, try the following regular expression

  "[^-]+-[^-]+-\D+(?<field>[^-]+)-"

Or if the raw data/field name on which regular expression is being applied begins with the format specified in the question

  "^[^-]+-[^-]+-\D+(?<field>[^-]+)-"

Following is a run anywhere search example based on your sample data where commands from makeresults to rename generate sample raw events as per the question:

| makeresults
| eval data="foo-1a-barr12345678-aa11;foo-2b-baar87654321-bb22;foo-2c-bbar18273645-aa12"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| rex field=_raw "[^-]+-[^-]+-\D+(?<field>[^-]+)-"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Extract string from text based on character position

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

Extract string from text based on character position

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...