Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a regular expression to extract this string from four types of patterns in my sample data?

virtualme
New Member
‎06-18-2016 11:57 PM

Hi,

I have the following 4 kinds of text in logs in a single file. I want to extract the string - Customer Num (starting with a number and followed by letters). I wish to write 1 single regex search which can handle all types of logs.

I have been able to handle & extract the Customer Number from first 3 types of pattern (one regex for each row, which is not optimal), but the fourth is turning to be a problem because it is sort of a superset of the two lines of log..

Log Text -
"/GW_SS/SPut/s/123abc/
"/GW_SS/SPut/icam/165abc/
/GW_SS/GtImFile/2245dbvf/ngH
"/GW_SS/123xy/GetPendingP"
"/GW_SS/009876/connectInfo"
I have to extract "123abc" / "165abc", "2245dbvf" , "123xy" & "009876" which is a Customer ID from each row of logs. This string I need to extract always begins with a number, and have letters following it..

Can someone please help.. I want to manage all these with 1 single regex..

0 Karma
Reply

sundareshr
Legend
‎06-20-2016 03:55 PM

This should capture all scenarios

\/(?<user>\d+\w*)
0 Karma
Reply

virtualme
New Member
‎06-20-2016 08:51 PM

Hey.. Thanks for the answer.. It's good as a regular expression, but for some reason isn't working out in Splunk.. The "/" expression makes the results go haywire..

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-19-2016 11:30 AM

This regex string works with your sample data

 (?<user>\d+\w+)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ddrillic
Ultra Champion
‎06-19-2016 02:44 PM

Work like a charm -

base search 
| eval data="/GW_SS/SPut/s/123abc/"
| rex  field=data "(?<user>\d+\w+)"
0 Karma
Reply

virtualme
New Member
‎06-20-2016 02:48 PM

Thanks for your response... This serves the the type 4 & 5 of the logs...
Although I have reg-ex for the first 3 types, I am looking for a solution wherein I can handle all 4 types in 1 single reg-ex to extract the Customer ID..
Do you think its possible?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-19-2016 03:15 PM

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

virtualme
New Member
‎06-20-2016 02:50 PM

Thanks for your response... This serves the the type 4 & 5 of the logs...
Although I have reg-ex for the first 3 types, I am looking for a solution wherein I can handle all 4 types in 1 single reg-ex to extract the Customer ID..
Do you think its possible?

0 Karma
Reply

ddrillic
Ultra Champion
‎06-20-2016 03:52 AM

Not my question ; -)

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...