Hi,
I wonder whether someone may be able to help me please.
I'm very new to using Splunk and most certainly to the rex
command and regular expressions, so please bear with.
I'm trying to extract a nino
field from my raw data which is in the following format "nino\":\"AB123456B\"
.
Could someone possibly tell me please how I may strip the actual nino number out of this line.
Many thanks and kind regards
Chris
Hi All,
I'm trying to achieve the something similar using regular expressions on raw data...
I want to extract the figures at the end of row ESS1. if some-one could help me extract the field and strip out the figures would be great!
ESCO - [57]
ESDC - [82]
ESEM - [170]
ESS1 - [2813]
ESVI - [706]
F421 - [30]
Thanks
Bablucho
Try this:
... | rex "ESS1 - \[(?<thatfield>[^\]]+)"
this will create a field called thatfield
with the value 2813
based on your provided example.
cheers, MuS
Thanks MuS I think this would work though I've just realised when raw data I pasted in didn't include the whites spaces...
ESCO - [57]
ESDC - [82]
ESEM - [170]
ESS1{14whitespaces}-{3whitespaces} [2813]
ESVI - [706]
F421 - [30]
I've got it to work with the below
... | rex "ESS1\s\s\s\s\s\s\s\s\s\s\s\s\s\s.\s\s\s[(?[^]]+)"
I've got it to work with the below
... |rex "ESS1\s\s\s\s\s\s\s\s\s\s\s\s\s\s.\s\s\s[(?[^]]+)"
This should work:
... | rex "nino[\\\":]*(?<nino>[^\\\":]*)"
Hi @woodcock, thank you for taking the time to reply to my post, this works great.
Many thanks and kind regards
Chris
Hi IRHM73,
if your _raw
events really contains the provided example , you can run this rex
command:
your base reach here | rex field=_raw ":\\"(?<nino>\w+)\\""
This will match every match any word character [a-zA-Z0-9_]
after :\"
and puts is into the field called nino
Hope this helps ...
cheers, MuS
Hi @MuS, thank you for coming back to me with this I really appreciate it. The format of the nino field was "nino\":\"AB123456B\".
But not to worry I've been able to extrcat this using the solution by @woodcock.
Once again sincere thanks for your help.
Many thanks and kind regards
Chris
Hi @Mus, thank you for coming back to me with this.
Unfortunately, due to it's sensitive data, I can't send you the raw data, but perhaps if you could explain, what you need I may be able to put something together.
Many thanks and kind regards
Chris
Hi there, it is currently not 100% clear if the event looks like this nino":"AB123456B"
or like this nino\":\"AB123456B\"
can you please confirm if it is either the first or the later one?
Hi, every one,
how can we use rex field=_raw in an input field ? I couldn't make it correctley
I suggest to open a new question and provide more details
Hi, that's great thank you very much, but could you tell me please how I search for the 'nino' field.
Could you also tell me please, is it possible to search for the field 'nino' specifically because my raw data contains a number of fields with the same "fieldname":"fieldvalue" format.
Many thanks and kind regards
Chris
Just add any search or stats command in the next search pipe like this:
your base reach here | rex field=_raw ":\\\"(?<nino>\w+)\\\"" | table nino
or
your base reach here | rex field=_raw ":\\\"(?<nino>\w+)\\\"" | search nino=AB*
Hi @MuS, that's great, thank you.
Kind Regards
Chris
You're welcome 🙂
Hi, @MuS, I'm really very sorry to trouble you with this again.
I've used the 'rex' expression you kindly provided, but unfortunately it doesn't extract the correct data into the table. I've also tried anothe field called 'middleNames' which has the same format as the NINO, so the expression is rex field=_raw ":"(?w+)"" | table middleNames, but it is still not extracting the field value data from the raw text.
Any ideas?
Many thanks and kind regards
Chris
please provide some raw event for both fields, use the code mark up CTRL-K to encode any special characters ...
Hi @MuS, thank you very much for taking the time to reply to my post.
Unfortunately I can't get this to work, because it returns the error message: Error in 'rex' command: Encountered the following error while compiling the regex ':(?w+)': Regex: unmatched parentheses.
Could you also tell me please, is it possible to search for the field 'nino' specifically because my raw data contains a number of fields with the same "fieldname":"fieldvalue" format.
Many thanks and kind regards
Chris