Splunk Search

Fetch incident from subject

priya0709
Path Finder

I am using below query to fetch Incident from the subject line:—

rex field=subject max_match=0 “(?<Incident>INC\d+)”

however, for below subject line i am unable to fetch incident:—

[SecMail:] INC000027755501|TAS00003760220 wrdna904xusa73|server is unreachable | INC000027790458| INC000027882562

0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

When I just made copy & paste from my previous example and then copy & paste both of your examples (one by one), both are working.

I suppose that you still have some issue with " or something similar.

r. Ismo

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I think that this is duplicate question to 

https://community.splunk.com/t5/Splunk-Search/Regex-help-for-incident/m-p/515131#M144610

basically your issue seems to be wrong  “ and ”. Otherwise your query is working as expected just switch both of those to ".

| makeresults
| eval subject="[SecMail:] INC000027755501|TAS00003760220 wrdna904xusa73|server is unreachable | INC000027790458| INC000027882562"
| rex field=subject max_match=0 "(?<Incident>INC\d+)"
| table Incident subject

r. Ismo 

0 Karma

priya0709
Path Finder

thank you for your reply!!

however, My query

rex field=subject max_match=0 "(?<Incident>INC\d+)"

works fine for Eg1 in which INC is appended by space in subject line. however, for eg2 INC is appended by | in this case Incident number is not fetched.


eg 1:- RE: INC0000756784 | server is unreachable 

eg 2:- RE:INC0000564789|Minor|server unreachable 

0 Karma

thambisetty
SplunkTrust
SplunkTrust

It doesn’t think of other characters. It matches  if there is INC FOLLOWED BY 10 digits.

————————————
If this helps, give a like below.
0 Karma

isoutamo
SplunkTrust
SplunkTrust

When I just made copy & paste from my previous example and then copy & paste both of your examples (one by one), both are working.

I suppose that you still have some issue with " or something similar.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...