Solved: How to edit my rex search to extract field values ...

edrivera3 · ‎04-13-2015

Hi

I am extracting a field named revision from raw data and the only possible field values are 1 or 2 consecutive upper case letters or a hyphen e.g.(A,B,AC,GF, -). I tried the following, but it didn't extract the field values with a hyphen:

 | rex field=_raw " Revision  (?[-A-Z]{1,2})"

somesoni2 · ‎04-13-2015

Try this (assuming your data looks like this " some data Revision A" OR " some data Revision AB" OR " some data Revision -")

   your base search | rex " Revision\s+(?<Revision>[-A-Z]{1,2})

View solution in original post

somesoni2 · ‎04-13-2015

Try this (assuming your data looks like this " some data Revision A" OR " some data Revision AB" OR " some data Revision -")

   your base search | rex " Revision\s+(?<Revision>[-A-Z]{1,2})

edrivera3 · ‎04-13-2015

That is what I did and it's correct. My error was that I didn't noticed that there is a space before the hyphen and the single upper case letter so I changed the regex and it worked. Thanks (I am going to accept your answer!)

| rex " Revision (?[A-Z]{2,2}|\s\W|\s[A-Z])"

edrivera3 · ‎04-13-2015

For some reason, it doesn't appear the angle bracket with the word "revision".

How to edit my rex search to extract field values with a hyphen?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

How to edit my rex search to extract field values with a hyphen?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES