Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a regular expression to extract this string from four types of patterns in my sample data?

virtualme
New Member
‎06-18-2016 11:57 PM

Hi,

I have the following 4 kinds of text in logs in a single file. I want to extract the string - Customer Num (starting with a number and followed by letters). I wish to write 1 single regex search which can handle all types of logs.

I have been able to handle & extract the Customer Number from first 3 types of pattern (one regex for each row, which is not optimal), but the fourth is turning to be a problem because it is sort of a superset of the two lines of log..

Log Text -
"/GW_SS/SPut/s/123abc/
"/GW_SS/SPut/icam/165abc/
/GW_SS/GtImFile/2245dbvf/ngH
"/GW_SS/123xy/GetPendingP"
"/GW_SS/009876/connectInfo"
I have to extract "123abc" / "165abc", "2245dbvf" , "123xy" & "009876" which is a Customer ID from each row of logs. This string I need to extract always begins with a number, and have letters following it..

Can someone please help.. I want to manage all these with 1 single regex..

0 Karma
Reply

sundareshr
Legend
‎06-20-2016 03:55 PM

This should capture all scenarios

\/(?<user>\d+\w*)
0 Karma
Reply

virtualme
New Member
‎06-20-2016 08:51 PM

Hey.. Thanks for the answer.. It's good as a regular expression, but for some reason isn't working out in Splunk.. The "/" expression makes the results go haywire..

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-19-2016 11:30 AM

This regex string works with your sample data

 (?<user>\d+\w+)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ddrillic
Ultra Champion
‎06-19-2016 02:44 PM

Work like a charm -

base search 
| eval data="/GW_SS/SPut/s/123abc/"
| rex  field=data "(?<user>\d+\w+)"
0 Karma
Reply

virtualme
New Member
‎06-20-2016 02:48 PM

Thanks for your response... This serves the the type 4 & 5 of the logs...
Although I have reg-ex for the first 3 types, I am looking for a solution wherein I can handle all 4 types in 1 single reg-ex to extract the Customer ID..
Do you think its possible?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-19-2016 03:15 PM

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

virtualme
New Member
‎06-20-2016 02:50 PM

Thanks for your response... This serves the the type 4 & 5 of the logs...
Although I have reg-ex for the first 3 types, I am looking for a solution wherein I can handle all 4 types in 1 single reg-ex to extract the Customer ID..
Do you think its possible?

0 Karma
Reply

ddrillic
Ultra Champion
‎06-20-2016 03:52 AM

Not my question ; -)

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...