Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to create a regular expression to extract this string from four types of patterns in my sample data?

virtualme
New Member
‎06-18-2016 11:57 PM

Hi,

I have the following 4 kinds of text in logs in a single file. I want to extract the string - Customer Num (starting with a number and followed by letters). I wish to write 1 single regex search which can handle all types of logs.

I have been able to handle & extract the Customer Number from first 3 types of pattern (one regex for each row, which is not optimal), but the fourth is turning to be a problem because it is sort of a superset of the two lines of log..

Log Text -
"/GW_SS/SPut/s/123abc/
"/GW_SS/SPut/icam/165abc/
/GW_SS/GtImFile/2245dbvf/ngH
"/GW_SS/123xy/GetPendingP"
"/GW_SS/009876/connectInfo"
I have to extract "123abc" / "165abc", "2245dbvf" , "123xy" & "009876" which is a Customer ID from each row of logs. This string I need to extract always begins with a number, and have letters following it..

Can someone please help.. I want to manage all these with 1 single regex..

0 Karma
Reply

sundareshr
Legend
‎06-20-2016 03:55 PM

This should capture all scenarios

\/(?<user>\d+\w*)
0 Karma
Reply

virtualme
New Member
‎06-20-2016 08:51 PM

Hey.. Thanks for the answer.. It's good as a regular expression, but for some reason isn't working out in Splunk.. The "/" expression makes the results go haywire..

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-19-2016 11:30 AM

This regex string works with your sample data

 (?<user>\d+\w+)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ddrillic
Ultra Champion
‎06-19-2016 02:44 PM

Work like a charm -

base search 
| eval data="/GW_SS/SPut/s/123abc/"
| rex  field=data "(?<user>\d+\w+)"
0 Karma
Reply

virtualme
New Member
‎06-20-2016 02:48 PM

Thanks for your response... This serves the the type 4 & 5 of the logs...
Although I have reg-ex for the first 3 types, I am looking for a solution wherein I can handle all 4 types in 1 single reg-ex to extract the Customer ID..
Do you think its possible?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-19-2016 03:15 PM

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

virtualme
New Member
‎06-20-2016 02:50 PM

Thanks for your response... This serves the the type 4 & 5 of the logs...
Although I have reg-ex for the first 3 types, I am looking for a solution wherein I can handle all 4 types in 1 single reg-ex to extract the Customer ID..
Do you think its possible?

0 Karma
Reply

ddrillic
Ultra Champion
‎06-20-2016 03:52 AM

Not my question ; -)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...