Splunk Search

How to extract 50A720 or 816851using | rex field=name mode=sed "s/816851/"?

ashidhingra
Path Finder

The data i have is 
816851-567-7554080981706881
50A720 -123-8150015922249983
816851-567-1135131573613120
816851-567-0065137870504409
50A720 -123-1135131573613120
816851-567-0065137870504409
50A720 -123-1135131573613120
50A720 -123-0065137870504409

I want to extract 50A720 or 816851using | rex field=name  mode=sed "s/816851/"
getting error Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string.

0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

If you want to do it with rex (although there are probably easier ways to do it), you could try this

| rex field=name mode=sed "s/(50A720|816851)(.*)/\1/g"

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

There seems to be some confusion with what you are trying to do. Are you trying to extract the first part of the field (before the first - sign) into another field, or are you trying to edit the field to remove the first part and do you want to do this only if it is specifically either 50A720 or 816851?

| rex field=name "^(?<firstpart>[^\-]+)\-"

| rex field=name mode=sed "s/(50A720|816851)//g"

ashidhingra
Path Finder

I only want to see 50A720 or 816851 in the ouput

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you want to do it with rex (although there are probably easier ways to do it), you could try this

| rex field=name mode=sed "s/(50A720|816851)(.*)/\1/g"

ashidhingra
Path Finder

Awesome. thanks.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...