Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to capture only string and remove optional digits with regex

ncrs5699
Explorer
‎04-06-2019 05:32 PM

I have a field which has values like below. there are 100+ values for this field, but i just posted 3 sample values. Some values will have digits(6-8) at the end (as shows in the 3rd value- 854623) and some do not have that number. How to capture only the string, but not the number at the end using regex

FKlB2mKprnNYmaeKMLEHuwAAADw --> (for this i need to capture complete string)
XKlB2pQ3Vg7Fc533j7uljgAAAVU --> (for this i need to capture complete string)
FKlB2kZez-O1EvQ8BK-XGAAAAJw-854623 --> (for this i need to capture only the string until jw, i dont need this value -854623)

I tried like this - | rex field=myField (?i)(?P<UUID>.*?)\-(?:\d{6,8}|^.*)
But this is capturing only UUID from the 3rd value, please help

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-07-2019 08:27 AM

@ncrs5699, add the following replace() eval function | eval extracted_value=replace(myField,"(.*)(\-\d+)$","\1") to your existing search with myField. Following is a run anywhere example based on sample data provided and the explanation for extraction:

| makeresults 
| eval myField="FKlB2mKprnNYmaeKMLEHuwAAADw;XKlB2pQ3Vg7Fc533j7uljgAAAVU;FKlB2kZez-O1EvQ8BK-XGAAAAJw-854623" 
| makemv delim=";" myField 
| mvexpand myField
| eval extracted_value=replace(myField,"(.*)(\-\d+)$","\1")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-07-2019 08:55 AM

OK, now that you have clarified it, try this:

| makeresults 
| eval msg="FKlB2mKprnNYmaeKMLEHuwAAADw FKlB2mKprnNYmaeKMLEHuwAAADw-123 XKlB2pQ3Vg7Fc533j7uljgAAAVU-12345 XKlB2pQ3Vg7Fc533j7uljgAAAVU-123456 XKlB2pQ3Vg7Fc533j7uljgAAAVU-1234567 XKlB2pQ3Vg7Fc533j7uljgAAAVU-12345678 XKlB2pQ3Vg7Fc533j7uljgAAAVU-123456789" 
| makemv msg 
| eval myNewField = replace(msg, "\-\d{6,8}$", "")
Reply
Solved! Jump to solution

ncrs5699
Explorer
‎04-07-2019 01:29 PM

this one worked as well. thanks

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-07-2019 08:27 AM

@ncrs5699, add the following replace() eval function | eval extracted_value=replace(myField,"(.*)(\-\d+)$","\1") to your existing search with myField. Following is a run anywhere example based on sample data provided and the explanation for extraction:

| makeresults 
| eval myField="FKlB2mKprnNYmaeKMLEHuwAAADw;XKlB2pQ3Vg7Fc533j7uljgAAAVU;FKlB2kZez-O1EvQ8BK-XGAAAAJw-854623" 
| makemv delim=";" myField 
| mvexpand myField
| eval extracted_value=replace(myField,"(.*)(\-\d+)$","\1")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

ncrs5699
Explorer
‎04-07-2019 01:27 PM

thank you, it worked.

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎04-06-2019 11:10 PM

Hi

Try this

| makeresults 
 | eval msg="FKlB2mKprnNYmaeKMLEHuwAAADw;XKlB2pQ3Vg7Fc533j7uljgAAAVU;FKlB2kZez-O1EvQ8BK-XGAAAAJw-854623" 
 | makemv delim=";" msg 
 | mvexpand msg 
 | rex field=msg "\-(?P<output>[\d]+$)"

OR

If you are specific to length of digits

| makeresults 
| eval msg="FKlB2mKprnNYmaeKMLEHuwAAADw;FKlB2mKprnNYmaeKMLEHuwAAADw-3435;XKlB2pQ3Vg7Fc533j7uljgAAAVU-223332;FKlB2kZez-O1EvQ8BK-XGAAAAJw-12234354" 
| makemv delim=";" msg 
| mvexpand msg 
| rex field=msg "\-(?P<output>[\d]{6,8}$)"

New: Check this

| makeresults 
 | eval myField="FKlB2mKprnNYmaeKMLEHuwAAADw;XKlB2pQ3Vg7Fc533j7uljgAAAVU;FKlB2kZez-O1EvQ8BK-XGAAAAJw-854623" 
 | makemv delim=";" myField 
 | mvexpand myField
 | rex field=myField "(?P<output>.*[^-\d]+)"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-07-2019 04:33 AM

@ncrs5699 first rex proposed by @vnravikumar is more accurate as per your requirement. Also, \- is not required if the requirement is to pull all digits when the field value ends with digits. \d+$

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

ncrs5699
Explorer
‎04-07-2019 08:12 AM

thank you, i have updated my question to make it more clear, also i have 100+ values for this field

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...