Solved: How to create a rex string with "#" sign?

jianyu75074 · ‎07-23-2018

I have data

2018-07-23 21:00:54##7049015762##358479078622895##2##4000######N##ABS##|##USER_NUMBER##QUERY##1##90864

I want exact user=7049015762; number=90864,
I can use mvindex:

| eval user=mvindex(split(_raw,"##"),1)| eval number=mvindex(split(_raw,"##"),-1)

But I prefer rex if possible, thanks! (is rex more effective than mvindex?)

niketn · ‎07-23-2018

@jianyu75074, try the following rex command

 <yourBaseSearch>
| rex "^[^\#]+\#\#(?<user>[^\#]+)+\#\#.*\#\#(?<number>\d+)$"

Following is a run anywhere search based on the sample data provided:

| makeresults
| eval _raw="2018-07-23 21:00:54##7049015762##358479078622895##2##4000######N##ABS##|##USER_NUMBER##QUERY##1##90864"
| rex "^[^\#]+\#\#(?<user>[^\#]+)+\#\#.*\#\#(?<number>\d+)$"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎07-23-2018

@jianyu75074, try the following rex command

 <yourBaseSearch>
| rex "^[^\#]+\#\#(?<user>[^\#]+)+\#\#.*\#\#(?<number>\d+)$"

Following is a run anywhere search based on the sample data provided:

| makeresults
| eval _raw="2018-07-23 21:00:54##7049015762##358479078622895##2##4000######N##ABS##|##USER_NUMBER##QUERY##1##90864"
| rex "^[^\#]+\#\#(?<user>[^\#]+)+\#\#.*\#\#(?<number>\d+)$"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to create a rex string with "#" sign?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!