Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to drop brackets from field extraction result?

vcorral
New Member
‎05-30-2019 02:11 PM

I have some logs that are very inconsistent and need to get a source number that is displayed one of few different ways:

  Source Number: 47107
  Source id: Meter <47107>
  Source id: 47107

I can successfully weed out all of the Source prefixes, but I can't find a way to remove the "<" and ">" from the field extraction. Here is what I have tried so far:

(?:Source\sid:|Source\sNumber:)(?:\sMeter\s|\s)(?<MeterNumber>((?:<)\d*(?:>)|\d*))

We can see that I tried ignoring the "<" and ">", but they are still showing up in search results.

Is there any way I can drop them as part of the field extraction?
Thanks in advance!
Virgil

0 Karma
Reply

evania
Splunk Employee
Splunk Employee
‎06-06-2019 02:50 PM

Hi @vcorral ,

Did you have a chance to check out these answers yet? If any of them worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help you.

Thanks for posting!

0 Karma
Reply

vcorral
New Member
‎05-31-2019 06:29 AM

Thank you all for your quick and informative responses. I was too far into the issue and could not see the forest through the trees. I did move the "<" outside of the named capture group and added it to the one string that utilized it in the preceding non-capture group.

I also changed the "\d*" to "\d+", thanks for keeping me straight on that.

My new REGEX is as follows:

(?:Source\sid:|Source\sNumber:)(?:\sMeter\s<|\s)(?<MeterNumber>(\d+))
0 Karma
Reply

anthonymelita
Contributor
‎05-30-2019 05:32 PM

In Splunk because you only really care about the named extracted field, you don't need to worry about the non-capture groups. Just move the bracket outside the extraction:

(Source\sid:|Source\sNumber:)(\sMeter\s|\s)(<*)(?\d+)

I had to change the d(star) to d+ because it's interpreting as italics

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎05-30-2019 05:32 PM

Hi vcorral,

Please give this regex a try:

 Source (?:Number|id):[\s\w\<]+?(?<myNumber>\d+)

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...