Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I extract values starting with a specific name using regex?

Shan
Builder
‎08-22-2018 10:01 PM

Hi All,

Kindly help me with regex for below sample data.
Its only a sample there might be some other pattern of data.
I need to extract only the values starting with INC eg(INC000013444216,INC000033109432,INC000000000958,INC000014660933) and store in a separate field.

DESCRIPTION"Request Information ticket no.: INC000013444216"
DESCRIPTION"Gathered Info ticket no.:INC000033109432 & the bad data."
DESCRIPTION"DDD D Required Informed ticket no.:INC000000000958 "
DESCRIPTION"Defined Info ticket no.:INC000013444444 hsdcgs and FRGHBB" 
DESCRIPTION"DD DS Access of the ticket no.:INC000000000958 and INC000014660933"
DESCRIPTION"Self comment ticket no.: INC000014141414 & INC000014071414"
DESCRIPTION"Known data ticket no.: INC000014222242 (INC000014555536)"
DESCRIPTION"Other DB ticket no.: INC000013777778 | 6020359"
DESCRIPTION"My Data base ticket no.:INC000013788880 and INC000013999916"
DESCRIPTION"Stay For the Information ticket no.: INC000013111117 | INC000013123418 "
DESCRIPTION"Check Info ticket no.: INC000012345597 INC000000003596 INC000009873598 INC000067893599"
DESCRIPTION"Correct Informed ticket no.:INC000045675462, INC000009878538 "
DESCRIPTION"All Information ticket no.:INC000067898690 (5393953), INC000011114463 (5536973) and more"

Thanks in advance 🙂

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎08-22-2018 10:16 PM

@shankarananth Some of your events have more than one INC#####, do you want to extract all? Also There is one event with | 6020359. Is that INC as well?

Can you try the following run anywhere example?

| makeresults
| eval description=" DESCRIPTION\"Request Information ticket no.: INC000013444216\";
 DESCRIPTION\"Gathered Info ticket no.:INC000033109432 & the bad data.\";
 DESCRIPTION\"DDD D Required Informed ticket no.:INC000000000958 \";
 DESCRIPTION\"Defined Info ticket no.:INC000013444444 hsdcgs and FRGHBB\"; 
 DESCRIPTION\"DD DS Access of the ticket no.:INC000000000958 and INC000014660933\";
 DESCRIPTION\"Self comment ticket no.: INC000014141414 & INC000014071414\";
 DESCRIPTION\"Known data ticket no.: INC000014222242 (INC000014555536)\";
 DESCRIPTION\"Other DB ticket no.: INC000013777778 | 6020359\";
 DESCRIPTION\"My Data base ticket no.:INC000013788880 and INC000013999916\";
 DESCRIPTION\"Stay For the Information ticket no.: INC000013111117 | INC000013123418 \";
 DESCRIPTION\"Check Info ticket no.: INC000012345597 INC000000003596 INC000009873598 INC000067893599\";
 DESCRIPTION\"Correct Informed ticket no.:INC000045675462, INC000009878538 \";
 DESCRIPTION\"All Information ticket no.:INC000067898690 (5393953), INC000011114463 (5536973) and more\""
| makemv description delim=";"
| mvexpand description
| rex field="description" "(?<IncidentNumber>INC\d+)" max_match=0

max_match=0 extracts multiple Incident Numbers. If you remove the argument it will extract only first occurrence.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎08-22-2018 10:16 PM

@shankarananth Some of your events have more than one INC#####, do you want to extract all? Also There is one event with | 6020359. Is that INC as well?

Can you try the following run anywhere example?

| makeresults
| eval description=" DESCRIPTION\"Request Information ticket no.: INC000013444216\";
 DESCRIPTION\"Gathered Info ticket no.:INC000033109432 & the bad data.\";
 DESCRIPTION\"DDD D Required Informed ticket no.:INC000000000958 \";
 DESCRIPTION\"Defined Info ticket no.:INC000013444444 hsdcgs and FRGHBB\"; 
 DESCRIPTION\"DD DS Access of the ticket no.:INC000000000958 and INC000014660933\";
 DESCRIPTION\"Self comment ticket no.: INC000014141414 & INC000014071414\";
 DESCRIPTION\"Known data ticket no.: INC000014222242 (INC000014555536)\";
 DESCRIPTION\"Other DB ticket no.: INC000013777778 | 6020359\";
 DESCRIPTION\"My Data base ticket no.:INC000013788880 and INC000013999916\";
 DESCRIPTION\"Stay For the Information ticket no.: INC000013111117 | INC000013123418 \";
 DESCRIPTION\"Check Info ticket no.: INC000012345597 INC000000003596 INC000009873598 INC000067893599\";
 DESCRIPTION\"Correct Informed ticket no.:INC000045675462, INC000009878538 \";
 DESCRIPTION\"All Information ticket no.:INC000067898690 (5393953), INC000011114463 (5536973) and more\""
| makemv description delim=";"
| mvexpand description
| rex field="description" "(?<IncidentNumber>INC\d+)" max_match=0

max_match=0 extracts multiple Incident Numbers. If you remove the argument it will extract only first occurrence.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

Shan
Builder
‎08-22-2018 10:27 PM

@niketnilay,

It's working fine.. Thanks for your help :-).
I hope still i need to upgrade myself in many things..

Please convert your comment into answers.. So i can accept it ..

Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎08-23-2018 09:10 AM

I've converted the comment to an answer, so it can now be accepted, @shankarananth.

Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-22-2018 10:13 PM

Assuming that they all have exactly the same number of numbers after them (12)...

  | rex field=_raw max_match=0 "(?<INC_Number>INC\d{12})"

The above will extract all INC numbers in the field _raw and put them in a multivalue field. You can query how many matches were made with... 

| eval MatchCount=coalesce(mvcount(INC_Number),0)

The coalesce will set the count to 0 if there were no matches.

If they can have a range of number lengths, say 10 to 12, then change the \d{12} to \d{10,12}

Reply
Solved! Jump to solution

Shan
Builder
‎08-22-2018 10:32 PM

@ DalJeanis,

I have tried your too its working good ..
A small addition 🙂 ..

 | rex field=_raw max_match=0 "(?<INC_Number>INC\d{12})"

Thanks you ....

Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-26-2018 01:31 PM

@shankarananth - updated. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...