Splunk Search

How can I extract values starting with a specific name using regex?

Shan
Builder

Hi All,

Kindly help me with regex for below sample data.
Its only a sample there might be some other pattern of data.
I need to extract only the values starting with INC eg(INC000013444216,INC000033109432,INC000000000958,INC000014660933) and store in a separate field.

DESCRIPTION"Request Information ticket no.: INC000013444216"
DESCRIPTION"Gathered Info ticket no.:INC000033109432 & the bad data."
DESCRIPTION"DDD D Required Informed ticket no.:INC000000000958 "
DESCRIPTION"Defined Info ticket no.:INC000013444444 hsdcgs and FRGHBB" 
DESCRIPTION"DD DS Access of the ticket no.:INC000000000958 and INC000014660933"
DESCRIPTION"Self comment ticket no.: INC000014141414 & INC000014071414"
DESCRIPTION"Known data ticket no.: INC000014222242 (INC000014555536)"
DESCRIPTION"Other DB ticket no.: INC000013777778 | 6020359"
DESCRIPTION"My Data base ticket no.:INC000013788880 and INC000013999916"
DESCRIPTION"Stay For the Information ticket no.: INC000013111117 | INC000013123418 "
DESCRIPTION"Check Info ticket no.: INC000012345597 INC000000003596 INC000009873598 INC000067893599"
DESCRIPTION"Correct Informed ticket no.:INC000045675462, INC000009878538 "
DESCRIPTION"All Information ticket no.:INC000067898690 (5393953), INC000011114463 (5536973) and more"

Thanks in advance 🙂

0 Karma
1 Solution

niketn
Legend

@shankarananth Some of your events have more than one INC#####, do you want to extract all? Also There is one event with | 6020359. Is that INC as well?

Can you try the following run anywhere example?

| makeresults
| eval description=" DESCRIPTION\"Request Information ticket no.: INC000013444216\";
 DESCRIPTION\"Gathered Info ticket no.:INC000033109432 & the bad data.\";
 DESCRIPTION\"DDD D Required Informed ticket no.:INC000000000958 \";
 DESCRIPTION\"Defined Info ticket no.:INC000013444444 hsdcgs and FRGHBB\"; 
 DESCRIPTION\"DD DS Access of the ticket no.:INC000000000958 and INC000014660933\";
 DESCRIPTION\"Self comment ticket no.: INC000014141414 & INC000014071414\";
 DESCRIPTION\"Known data ticket no.: INC000014222242 (INC000014555536)\";
 DESCRIPTION\"Other DB ticket no.: INC000013777778 | 6020359\";
 DESCRIPTION\"My Data base ticket no.:INC000013788880 and INC000013999916\";
 DESCRIPTION\"Stay For the Information ticket no.: INC000013111117 | INC000013123418 \";
 DESCRIPTION\"Check Info ticket no.: INC000012345597 INC000000003596 INC000009873598 INC000067893599\";
 DESCRIPTION\"Correct Informed ticket no.:INC000045675462, INC000009878538 \";
 DESCRIPTION\"All Information ticket no.:INC000067898690 (5393953), INC000011114463 (5536973) and more\""
| makemv description delim=";"
| mvexpand description
| rex field="description" "(?<IncidentNumber>INC\d+)" max_match=0

max_match=0 extracts multiple Incident Numbers. If you remove the argument it will extract only first occurrence.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@shankarananth Some of your events have more than one INC#####, do you want to extract all? Also There is one event with | 6020359. Is that INC as well?

Can you try the following run anywhere example?

| makeresults
| eval description=" DESCRIPTION\"Request Information ticket no.: INC000013444216\";
 DESCRIPTION\"Gathered Info ticket no.:INC000033109432 & the bad data.\";
 DESCRIPTION\"DDD D Required Informed ticket no.:INC000000000958 \";
 DESCRIPTION\"Defined Info ticket no.:INC000013444444 hsdcgs and FRGHBB\"; 
 DESCRIPTION\"DD DS Access of the ticket no.:INC000000000958 and INC000014660933\";
 DESCRIPTION\"Self comment ticket no.: INC000014141414 & INC000014071414\";
 DESCRIPTION\"Known data ticket no.: INC000014222242 (INC000014555536)\";
 DESCRIPTION\"Other DB ticket no.: INC000013777778 | 6020359\";
 DESCRIPTION\"My Data base ticket no.:INC000013788880 and INC000013999916\";
 DESCRIPTION\"Stay For the Information ticket no.: INC000013111117 | INC000013123418 \";
 DESCRIPTION\"Check Info ticket no.: INC000012345597 INC000000003596 INC000009873598 INC000067893599\";
 DESCRIPTION\"Correct Informed ticket no.:INC000045675462, INC000009878538 \";
 DESCRIPTION\"All Information ticket no.:INC000067898690 (5393953), INC000011114463 (5536973) and more\""
| makemv description delim=";"
| mvexpand description
| rex field="description" "(?<IncidentNumber>INC\d+)" max_match=0

max_match=0 extracts multiple Incident Numbers. If you remove the argument it will extract only first occurrence.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Shan
Builder

@niketnilay,

It's working fine.. Thanks for your help :-).
I hope still i need to upgrade myself in many things..

Please convert your comment into answers.. So i can accept it ..

cpetterborg
SplunkTrust
SplunkTrust

I've converted the comment to an answer, so it can now be accepted, @shankarananth.

DalJeanis
Legend

Assuming that they all have exactly the same number of numbers after them (12)...

  | rex field=_raw max_match=0 "(?<INC_Number>INC\d{12})"

The above will extract all INC numbers in the field _raw and put them in a multivalue field. You can query how many matches were made with...

| eval MatchCount=coalesce(mvcount(INC_Number),0)

The coalesce will set the count to 0 if there were no matches.

If they can have a range of number lengths, say 10 to 12, then change the \d{12} to \d{10,12}

Shan
Builder

@ DalJeanis,

I have tried your too its working good ..
A small addition 🙂 ..

 | rex field=_raw max_match=0 "(?<INC_Number>INC\d{12})"

Thanks you ....

DalJeanis
Legend

@shankarananth - updated. Thanks!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...