Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a regular expression to extract this string from four types of patterns in my sample data?

virtualme
New Member
‎06-18-2016 11:57 PM

Hi,

I have the following 4 kinds of text in logs in a single file. I want to extract the string - Customer Num (starting with a number and followed by letters). I wish to write 1 single regex search which can handle all types of logs.

I have been able to handle & extract the Customer Number from first 3 types of pattern (one regex for each row, which is not optimal), but the fourth is turning to be a problem because it is sort of a superset of the two lines of log..

Log Text -
"/GW_SS/SPut/s/123abc/
"/GW_SS/SPut/icam/165abc/
/GW_SS/GtImFile/2245dbvf/ngH
"/GW_SS/123xy/GetPendingP"
"/GW_SS/009876/connectInfo"
I have to extract "123abc" / "165abc", "2245dbvf" , "123xy" & "009876" which is a Customer ID from each row of logs. This string I need to extract always begins with a number, and have letters following it..

Can someone please help.. I want to manage all these with 1 single regex..

0 Karma
Reply

sundareshr
Legend
‎06-20-2016 03:55 PM

This should capture all scenarios

\/(?<user>\d+\w*)
0 Karma
Reply

virtualme
New Member
‎06-20-2016 08:51 PM

Hey.. Thanks for the answer.. It's good as a regular expression, but for some reason isn't working out in Splunk.. The "/" expression makes the results go haywire..

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-19-2016 11:30 AM

This regex string works with your sample data

 (?<user>\d+\w+)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ddrillic
Ultra Champion
‎06-19-2016 02:44 PM

Work like a charm -

base search 
| eval data="/GW_SS/SPut/s/123abc/"
| rex  field=data "(?<user>\d+\w+)"
0 Karma
Reply

virtualme
New Member
‎06-20-2016 02:48 PM

Thanks for your response... This serves the the type 4 & 5 of the logs...
Although I have reg-ex for the first 3 types, I am looking for a solution wherein I can handle all 4 types in 1 single reg-ex to extract the Customer ID..
Do you think its possible?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-19-2016 03:15 PM

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

virtualme
New Member
‎06-20-2016 02:50 PM

Thanks for your response... This serves the the type 4 & 5 of the logs...
Although I have reg-ex for the first 3 types, I am looking for a solution wherein I can handle all 4 types in 1 single reg-ex to extract the Customer ID..
Do you think its possible?

0 Karma
Reply

ddrillic
Ultra Champion
‎06-20-2016 03:52 AM

Not my question ; -)

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...