Splunk Search

How to edit my rex search to extract field values with a hyphen?

edrivera3
Builder

Hi

I am extracting a field named revision from raw data and the only possible field values are 1 or 2 consecutive upper case letters or a hyphen e.g.(A,B,AC,GF, -). I tried the following, but it didn't extract the field values with a hyphen:

 | rex field=_raw " Revision  (?[-A-Z]{1,2})" 
0 Karma
1 Solution

somesoni2
Revered Legend

Try this (assuming your data looks like this " some data Revision A" OR " some data Revision AB" OR " some data Revision -")

   your base search | rex " Revision\s+(?<Revision>[-A-Z]{1,2})

View solution in original post

somesoni2
Revered Legend

Try this (assuming your data looks like this " some data Revision A" OR " some data Revision AB" OR " some data Revision -")

   your base search | rex " Revision\s+(?<Revision>[-A-Z]{1,2})

edrivera3
Builder

That is what I did and it's correct. My error was that I didn't noticed that there is a space before the hyphen and the single upper case letter so I changed the regex and it worked. Thanks (I am going to accept your answer!)

| rex " Revision (?[A-Z]{2,2}|\s\W|\s[A-Z])" 

edrivera3
Builder

For some reason, it doesn't appear the angle bracket with the word "revision".

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...