Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with regex search?

jerinvarghese
Communicator
‎11-15-2022 02:44 AM

Hi Team,

Thanks in advance,

Need a quick help in Regex query,

Input values: 

KUL6LJBJ62YD
BLR6LC7BLNJR
HRI6M5G6KKPH
KUL6LJ3N0F6J
HRI6LBJKRHHR
HRI6LB65G6NF

 

Expected output: 

First 3 character of each phrase.

 

CUrrent Regex : (?<SITE_NAME>[^\W]{3})    << BUT AM not getting proper output>>

Expected Output :

| table SITE_NAME

KUL

BLR

HRI

KUL
HRI

HRI

 

Thanks

Jerin V

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

SplunkExplorer
Contributor
‎11-15-2022 05:25 AM

Hi @jerinvarghese, I don't know if your input can contain only number and letters or also other symbols; in case of alphabet letter and arabic number only, I tested this on regex101: Regex3chars 

Please let me know if it works or Splunk or not.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-15-2022 05:30 AM

There are a couple of things you might want to change - you could use the max_match option to limit the number of matches, you could use the carat (^) to anchor the match to the beginning of the field, you could use \w instead of the double negative (^ in the square brackets means not, \W means not \w, so ^\W should be equivalent to \w)

| rex max_match=1 "(?<SITE_NAME>^\w{3})"

 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-15-2022 02:58 AM

Hi @jerinvarghese,

your regex is correct and you could also use substr:

| eval SITE_NAME=substr(SITE_NAME,3)

so what is your issue?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎11-15-2022 02:50 AM

Your output is exactly the first 3 characters of each input.  What is the question then?

0 Karma
Reply
Solved! Jump to solution

jerinvarghese
Communicator
‎11-15-2022 04:02 AM

splunk query.png

 In my search in SPlunk, It sometimes shows me the second vlaue(dark green), thats where i got the problem.

0 Karma
Reply
Solved! Jump to solution
Solution

SplunkExplorer
Contributor
‎11-15-2022 05:25 AM

Hi @jerinvarghese, I don't know if your input can contain only number and letters or also other symbols; in case of alphabet letter and arabic number only, I tested this on regex101: Regex3chars 

Please let me know if it works or Splunk or not.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...