Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I Rex to match until a string

mattodo
Explorer
‎05-08-2016 09:57 AM

Hi folks,

I'm new to regex and am struggling to extract a number from a field. I basically need the amount extracted from the following;

Date Name Amount Curr Type Status
------------------- -------------------- ---------- ---- ------------ ------
07.05.2016 22:58:09 Person's Name 5.00 GBP Sale Okay

It is the variable length text before the number that I am struggling with.

Please can you suggest a way in which I can extract just the 5.00 in the above example?

Thanks in advance 🙂

Matt

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎05-08-2016 10:39 AM

Try this but ignoring the top 3 lines that I used to replicate your event.

Option 1 (from your raw event):

| stats count
| fields - count
| eval _raw = "07.05.2016 22:58:09 Person's Name 5.00 GBP Sale Okay"
| rex field=_raw "(?<Amount_num>\d+\.\d{2}) GBP"

Option 2 (assuming there's a field named Amount as indicated above):

| stats count
| fields - count
| eval Amount = "5.00 GBP"
| rex field=Amount "(?<Amount_num>\d+\.\d{2})"

View solution in original post

Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎05-08-2016 10:39 AM

Try this but ignoring the top 3 lines that I used to replicate your event.

Option 1 (from your raw event):

| stats count
| fields - count
| eval _raw = "07.05.2016 22:58:09 Person's Name 5.00 GBP Sale Okay"
| rex field=_raw "(?<Amount_num>\d+\.\d{2}) GBP"

Option 2 (assuming there's a field named Amount as indicated above):

| stats count
| fields - count
| eval Amount = "5.00 GBP"
| rex field=Amount "(?<Amount_num>\d+\.\d{2})"
Reply
Solved! Jump to solution

mattodo
Explorer
‎05-08-2016 12:54 PM

Many thanks for the prompt reply Javiergn, It shows I am new to this because I copied and pasted from one of my records and the formatting was lost. There are actually many spaces between the field sections. I have now found the code sample feature 😉 so the data should look like this;

Date                Name                     Amount Curr Type         Status
------------------- -------------------- ---------- ---- ------------ ------
07.05.2016 22:58:09 Person's name                 5.00 GBP  Sale         Okay

The rex you gave did not return anything. Is this due to the extra spaces?

Thanks again!

Matt

0 Karma
Reply
Solved! Jump to solution

mattodo
Explorer
‎05-08-2016 01:30 PM

Hi again, your method worked great (minor error on my part) so I have exactly what I need.

Many thanks, you have really helped me out!

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎05-08-2016 02:19 PM

Hi, no worries. Happy to help.

If you are happy with the response please mark it as answered so that others can benefit from it.

0 Karma
Reply
Solved! Jump to solution

mattodo
Explorer
‎05-08-2016 02:27 PM

done 🙂 TY

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...