Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help with regex search?

jerinvarghese
Communicator
‎11-15-2022 02:44 AM

Hi Team,

Thanks in advance,

Need a quick help in Regex query,

Input values: 

KUL6LJBJ62YD
BLR6LC7BLNJR
HRI6M5G6KKPH
KUL6LJ3N0F6J
HRI6LBJKRHHR
HRI6LB65G6NF

 

Expected output: 

First 3 character of each phrase.

 

CUrrent Regex : (?<SITE_NAME>[^\W]{3})    << BUT AM not getting proper output>>

Expected Output :

| table SITE_NAME

KUL

BLR

HRI

KUL
HRI

HRI

 

Thanks

Jerin V

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

SplunkExplorer
Contributor
‎11-15-2022 05:25 AM

Hi @jerinvarghese, I don't know if your input can contain only number and letters or also other symbols; in case of alphabet letter and arabic number only, I tested this on regex101: Regex3chars 

Please let me know if it works or Splunk or not.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-15-2022 05:30 AM

There are a couple of things you might want to change - you could use the max_match option to limit the number of matches, you could use the carat (^) to anchor the match to the beginning of the field, you could use \w instead of the double negative (^ in the square brackets means not, \W means not \w, so ^\W should be equivalent to \w)

| rex max_match=1 "(?<SITE_NAME>^\w{3})"

 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-15-2022 02:58 AM

Hi @jerinvarghese,

your regex is correct and you could also use substr:

| eval SITE_NAME=substr(SITE_NAME,3)

so what is your issue?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎11-15-2022 02:50 AM

Your output is exactly the first 3 characters of each input.  What is the question then?

0 Karma
Reply
Solved! Jump to solution

jerinvarghese
Communicator
‎11-15-2022 04:02 AM

splunk query.png

 In my search in SPlunk, It sometimes shows me the second vlaue(dark green), thats where i got the problem.

0 Karma
Reply
Solved! Jump to solution
Solution

SplunkExplorer
Contributor
‎11-15-2022 05:25 AM

Hi @jerinvarghese, I don't know if your input can contain only number and letters or also other symbols; in case of alphabet letter and arabic number only, I tested this on regex101: Regex3chars 

Please let me know if it works or Splunk or not.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...