Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with regex search?

jerinvarghese
Communicator
‎11-15-2022 02:44 AM

Hi Team,

Thanks in advance,

Need a quick help in Regex query,

Input values: 

KUL6LJBJ62YD
BLR6LC7BLNJR
HRI6M5G6KKPH
KUL6LJ3N0F6J
HRI6LBJKRHHR
HRI6LB65G6NF

 

Expected output: 

First 3 character of each phrase.

 

CUrrent Regex : (?<SITE_NAME>[^\W]{3})    << BUT AM not getting proper output>>

Expected Output :

| table SITE_NAME

KUL

BLR

HRI

KUL
HRI

HRI

 

Thanks

Jerin V

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

SplunkExplorer
Communicator
‎11-15-2022 05:25 AM

Hi @jerinvarghese, I don't know if your input can contain only number and letters or also other symbols; in case of alphabet letter and arabic number only, I tested this on regex101: Regex3chars 

Please let me know if it works or Splunk or not.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-15-2022 05:30 AM

There are a couple of things you might want to change - you could use the max_match option to limit the number of matches, you could use the carat (^) to anchor the match to the beginning of the field, you could use \w instead of the double negative (^ in the square brackets means not, \W means not \w, so ^\W should be equivalent to \w)

| rex max_match=1 "(?<SITE_NAME>^\w{3})"

 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-15-2022 02:58 AM

Hi @jerinvarghese,

your regex is correct and you could also use substr:

| eval SITE_NAME=substr(SITE_NAME,3)

so what is your issue?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎11-15-2022 02:50 AM

Your output is exactly the first 3 characters of each input.  What is the question then?

0 Karma
Reply
Solved! Jump to solution

jerinvarghese
Communicator
‎11-15-2022 04:02 AM

splunk query.png

 In my search in SPlunk, It sometimes shows me the second vlaue(dark green), thats where i got the problem.

0 Karma
Reply
Solved! Jump to solution
Solution

SplunkExplorer
Communicator
‎11-15-2022 05:25 AM

Hi @jerinvarghese, I don't know if your input can contain only number and letters or also other symbols; in case of alphabet letter and arabic number only, I tested this on regex101: Regex3chars 

Please let me know if it works or Splunk or not.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out &gt;&gt; As our brave ...