Splunk Search

How to extract each set of numbers from a string before space and after a ;(semi-colon)?

Satheesh_red
Path Finder

Hi,

I'm trying to extract the matching patterns 35255955, 35226999, 35162846 ...etc untill end of the string with matching one into patch_number field from the string below before <space> and after the ;(semi-colon)

I tried use below rex in regex101.com and tested, which worked for me with  ([^\s<patch_number>]+;)
but when i apply same in Splunk, it's not working, it's giving me error below

query = index = ** sourcetype=** | rex field=_raw "([^\s<patch_number>]+;)"

Error in 'rex' command: The regex '([^\s<patch_number>]+;)' does not extract anything. It should specify at least one named group. Format: (?<name>...).
 
I'm looking at the result for the field - patch_number is 35255955,35226999,35162846 ....etc in splunk

 

Event String:-
Domain=dfs1_sit2_osb 35255955;SOA Bundle Patch 12.2.1.4.230404 35226999;WLS PATCH SET UPDATE 12.2.1.4.230328 35162846;FMW Thirdparty Bundle Patch 12.2.1.4.230309 35159582;OWSM BUNDLE PATCH 12.2.1.4.230308 35148842;ADF BUNDLE PATCH 12.2.1.4.230306 35035861;RDA release 23.2-20230418 for OFM 12.2.1.4 SPB 33950717;OPSS Bundle Patch 12.2.1.4.220311 1221417;Coherence Cumulative Patch 12.2.1.4.17 34765492; 34542329;One-off 33639718;33639718 - ADR FOR WEBLOGIC SERVER 12.2.1.4.0 JUL CPU 2022 33903365;One-off 32720458;JDBC 19.3.0.0 FOR CPUJAN2022 (WLS 12.2.1.4, WLS 14.1.1) 33093748;One-off 32455874;One-off 32121987;OSB Bundle Patch 12.2.1.4.201105 31101362; 30997624;One-off 30741105;One-off 30700379;One-off 30455072;One-off 28970552;One-off 26573463;One-off 22526026;One-off 18387355;One-off OPatch succeeded.

 

Kindly help me.

 

Regards,

Satheesh 

 

Labels (2)
Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

To find multiple matches of a string with the rex command, use the max_match=n option.  max_match=0 will return all matches.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

While the regex may be valid, it does not contain a named capture group, which is why the error was thrown.  Try this command.

query = index = ** sourcetype=** | rex field=_raw "\s(?<patch_number>[^;]+);"
---
If this reply helps you, Karma would be appreciated.

Satheesh_red
Path Finder

Thanks for the reply @richgalloway 

When I use this | rex field=_raw "\s(?<patch_number>[^;]+);" I get no errors but which is giving only one patch set number in the patch_number field, which is 35255955. Will it be possible to find all the matched patterns separated by a comma? like below from the complete string. 

The expected outcome should be like for patch_number filed is 35255955,35226999,35162846,35159582,35148842,35035861,33950717,1221417, ...etc

 

Regards,

Satheesh

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To find multiple matches of a string with the rex command, use the max_match=n option.  max_match=0 will return all matches.

---
If this reply helps you, Karma would be appreciated.

Satheesh_red
Path Finder

Thankyou for your help @richgalloway 

it's worked. Appreciated your help. 

 

Regards,

Satheesh

Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...