Splunk Search

How to extract a field that is changing position in the logs?

Communicator

Hi,

I am trying to extract a field that is changing position in the logs and cannot figure out how to extract it.

"<"BusinessPartnerCode>005003"<"/BusinessPartnerCode> (without the quotes)

The entry looks like above and I am trying to get the numbers in between and name the field. When I mark it with the Splunk Field tool it doesn't work correctly, since the entry changes positions in the events.

Thank you.

Oliver

0 Karma
1 Solution

Motivator

try:

If it only had quotes at the end like mentioned in question 005003"

yourBaseSearch
| rex "\"\<\"BusinessPartnerCode\>(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"

If it has quote at start and at end "005003"` try:

yourBaseSearch
| rex "\"\<\"BusinessPartnerCode\>\"(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"

View solution in original post

Communicator

Add this to the sourcetype stanza in props.conf

EXTRACT-bpc = \<BusinessPartnerCode\>(?<BusinessPartnerCode>\d{6})\<\/BusinessPartnerCode\>

Or you take the way above for extraction during the search.

Motivator

try:

If it only had quotes at the end like mentioned in question 005003"

yourBaseSearch
| rex "\"\<\"BusinessPartnerCode\>(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"

If it has quote at start and at end "005003"` try:

yourBaseSearch
| rex "\"\<\"BusinessPartnerCode\>\"(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"

View solution in original post

Communicator

Thank you. Actually my number does not have any quotes (just had to put them there because the Splunk website wouldn't allow the brackets otherwise).

Would this be the correct version without quotes?

| rex "\"<\"BusinessPartnerCode>(?[^\"]+)<\"\/BusinessPartnerCode>"

0 Karma

Motivator

I was riding the same boat as you few days ago. Use the "code Sample" formatting button from text editor whenever you are putting a text which splunk website is messing up for tags. So for example If i type below, then select it and press "Code Sample" button, it will appear as follows:

rex "\"\<\"BusinessPartnerCode\>(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"

If I type without highlighting and formatting it as "Code Sample" it looks like below:
rex "\"<\"BusinessPartnerCode>(?[^\"]+)\"<\"\/BusinessPartnerCode>"

See how ?<businessCode> disappears in above in comparison to code sample piece.
So use "Code Sample" button and give the exact sample of line for which you want the regex to be modified and I can paste it here in response.

However if there are no quotes in your sample above and your sample then is below:

<BusinessPartnerCode>005003</BusinessPartnerCode>

Then you can use this regex:

 | rex "\<BusinessPartnerCode\>(?<businessCode>[^\<]+)\<\/BusinessPartnerCode\>"
0 Karma

Communicator

Got you, I was wondering what was the trick. Thank you very much.

<BusinessPartnerCode>001999</BusinessPartnerCode>

So what would be the regex without all the quotes? The one I posted isn't highlighting the the 6 digit code.

0 Karma

Motivator
| rex "\<BusinessPartnerCode\>(?<businessCode>[^\<]+)\<\/BusinessPartnerCode\>"

I had pasted it above as well in the ending part of the comment later on.

OR alternatively if you wanna focus on the digits part (as above extracts everything till it enounters <, use below. Either should work

| rex "\<BusinessPartnerCode\>(?<businessCode>\d{6})\<\/BusinessPartnerCode\>"

0 Karma

Legend

Is it always the same number? Is it always 6 digits? Please share some sample events.

0 Karma

Communicator

The number is changing but it's always 6 digits.

0 Karma