I am trying to extract a string of numbers (6-8 digits) within a string. each of the string extracted/detected will be a category of event ID. And I will need to tabulate the stat of these event IDs. What is a good way of doing it?
try this:
index=<your_index> |rex "(\d|\w)\d{3}_\d{3}01(?<EventId>\d{4})"
also, try this run anywhere search:
| makeresults
| eval data="054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9,999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9"
| makemv data delim=","
| mvexpand data
| rex field=data "(\d|\w)\d{3}_\d{3}01(?<EventId>\d{4})"
try this:
index=<your_index> |rex "(\d|\w)\d{3}_\d{3}01(?<EventId>\d{4})"
also, try this run anywhere search:
| makeresults
| eval data="054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9,999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9"
| makemv data delim=","
| mvexpand data
| rex field=data "(\d|\w)\d{3}_\d{3}01(?<EventId>\d{4})"
Like this:
... | rex field=eventID "(?<myNumber>\d+)"
The best method will depend upon the exact use case of yours. Please share some sample values, highlight what part you want to extract and what aggregation/reporting you want out of it. Sample expected output will help too.
for example, for the first event,
054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9, the event ID is the 43th -46th digits (4 digits) "2006" after xxxxx_xxx01
or for the second example,
999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9
the event ID is "3002" which is the 4 digits after xxxx_xxx01.
the event ID begins with 01.
best of extracting is regex
. Please give us sample input.
here is the sample input:
054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9
or
999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9
trying to extract the eventID that is after _031*01XXXX*
okay, can you tell me whats the eventID? what to extract from both the events?
for example, for the first event,
054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9, the event ID is the 43th -46th digits (4 digits) "2006" after xxxxx_xxx01
or for the second example,
999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9
the event ID is "3002" which is the 4 digits after xxxx_xxx01.
the event ID begins with 01.