Splunk Search

Help with regex search?

jerinvarghese
Communicator

Hi Team,

Thanks in advance,

Need a quick help in Regex query,

Input values: 

KUL6LJBJ62YD
BLR6LC7BLNJR
HRI6M5G6KKPH
KUL6LJ3N0F6J
HRI6LBJKRHHR
HRI6LB65G6NF

 

Expected output: 

First 3 character of each phrase.

 

CUrrent Regex : (?<SITE_NAME>[^\W]{3})    << BUT AM not getting proper output>>

Expected Output :

| table SITE_NAME

KUL

BLR

HRI

KUL
HRI

HRI

 

Thanks

Jerin V

Labels (3)
0 Karma
1 Solution

SplunkExplorer
Communicator

Hi @jerinvarghese, I don't know if your input can contain only number and letters or also other symbols; in case of alphabet letter and arabic number only, I tested this on regex101: Regex3chars 

Please let me know if it works or Splunk or not.

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There are a couple of things you might want to change - you could use the max_match option to limit the number of matches, you could use the carat (^) to anchor the match to the beginning of the field, you could use \w instead of the double negative (^ in the square brackets means not, \W means not \w, so ^\W should be equivalent to \w)

| rex max_match=1 "(?<SITE_NAME>^\w{3})"

 

gcusello
SplunkTrust
SplunkTrust

Hi @jerinvarghese,

your regex is correct and you could also use substr:

| eval SITE_NAME=substr(SITE_NAME,3)

so what is your issue?

Ciao.

Giuseppe

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Your output is exactly the first 3 characters of each input.  What is the question then?

0 Karma

jerinvarghese
Communicator

splunk query.png

 In my search in SPlunk, It sometimes shows me the second vlaue(dark green), thats where i got the problem.

0 Karma

SplunkExplorer
Communicator

Hi @jerinvarghese, I don't know if your input can contain only number and letters or also other symbols; in case of alphabet letter and arabic number only, I tested this on regex101: Regex3chars 

Please let me know if it works or Splunk or not.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...