Splunk Search

How to extract 50A720 or 816851using | rex field=name mode=sed "s/816851/"?

ashidhingra
Path Finder

The data i have is 
816851-567-7554080981706881
50A720 -123-8150015922249983
816851-567-1135131573613120
816851-567-0065137870504409
50A720 -123-1135131573613120
816851-567-0065137870504409
50A720 -123-1135131573613120
50A720 -123-0065137870504409

I want to extract 50A720 or 816851using | rex field=name  mode=sed "s/816851/"
getting error Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string.

0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

If you want to do it with rex (although there are probably easier ways to do it), you could try this

| rex field=name mode=sed "s/(50A720|816851)(.*)/\1/g"

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

There seems to be some confusion with what you are trying to do. Are you trying to extract the first part of the field (before the first - sign) into another field, or are you trying to edit the field to remove the first part and do you want to do this only if it is specifically either 50A720 or 816851?

| rex field=name "^(?<firstpart>[^\-]+)\-"

| rex field=name mode=sed "s/(50A720|816851)//g"

ashidhingra
Path Finder

I only want to see 50A720 or 816851 in the ouput

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you want to do it with rex (although there are probably easier ways to do it), you could try this

| rex field=name mode=sed "s/(50A720|816851)(.*)/\1/g"

ashidhingra
Path Finder

Awesome. thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...