Solved: Re: How do you retrieve names in comments using re...

ramesh12345 · ‎03-08-2019

Hi,

index="os" sourcetype="test"  CaseNumber=*| dedup _time,CaseNumber  | rex field=Notes "(?\d+-\d+-\d+\s*\d+:\d+:\d+)\s*\-\s*(?\w*\W*\w*\s*\w*\s*\(\d+\))\s*"

The above query displays the lastupdated user. But I want to display all names from the comments

EX:

2019-03-07 11:48:12 - one (1234513241) (Case Notes (Comments Visible )) data in not loading
2019-03-07 12:48:12 - two (2345132421) (Case Notes (Comments Visible)) error occured
2019-03-06 14:48:12 - three (3451324143) (Case Notes (Comments Visible)) testing
2019-03-06 15:48:12 - one (5513241321) (Case Notes (Comments Visible)) case in progress
2019-03-06 17:48:12 - four (2416575443) (Case Notes (Comments Visible)) filter option
2019-03-06 18:48:12 - five (4154678765) (Case Notes (Comments Visible)) data loading

This is for one case. After date is names of the persons. So I want to display all names who commented for that case.

Ex:Casenumber is 1111

1111 one (1234513241) two (2345132421) three (3451324143) four (2416575443) five (4154678765) like this

How do I write the regular expression to do this?

vnravikumar · ‎03-08-2019

Hi @ramesh12345

Try this

| makeresults 
| eval comments="2019-03-06 15:48:12 - one (5513241321) (Case Notes (Comments Visible)) case in progress" 
| rex field=comments "\s-\s(?P<name>[\w]*\s\(\w*\))"

View solution in original post

renjith_nair · ‎03-08-2019

@ramesh12345 ,

Based on your sample data , try

"your search"
| rex "-\s(?<Names>\w+\s\(\d+\))"
| stats values(Names) as Names by Casenumber 
| nomv Names

---
What goes around comes around. If it helps, hit it with Karma 🙂

ramesh12345 · ‎03-11-2019

Hi,
With you query i am getting names who worked on that particular case.But My requirement is to display single person completed cases.
Ex: Case:1 name: raju
Case:2 name:raju,ramu,rakesh
Case:3 name:ramu,rakesh,rahul,raju

so the requirement is single peron completed cases.

Here raju only worked on one case.so raju count is 1

In multiple cases he involved: raju count is 2

index="os" sourcetype="Service" CaseNumber=* status=* assignment=* |dedup _time,CaseNumber,assignment|streamstats current=f last(assignment) as lg, last(active) as Active by CaseNumber|lookup L1Team.csv SSO as assigned_to OUTPUT TeamName| eval is_escalated= if(assignment!=lg AND assignment_group="Sustaining",1,NULL) |eval is_resolved=if(assignment="Sustaining" AND status="Complete" AND (isnull(Active) OR Active="true"),1,NULL)|stats count(is_escalated) AS "Escalated Cases" count(is_resolved) AS "Resolved Cases" by assigned_to,TeamName| fields - TeamName

with this query iam getting only who closed this case.that number is assigned to that case.
i want to display like above what i explained.Please help how to do this

vnravikumar · ‎03-08-2019

Hi @ramesh12345

Try this

| makeresults 
| eval comments="2019-03-06 15:48:12 - one (5513241321) (Case Notes (Comments Visible)) case in progress" 
| rex field=comments "\s-\s(?P<name>[\w]*\s\(\w*\))"

How do you retrieve names in comments using regex?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Join the Conversation