Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract each set of numbers from a string before space and after a ;(semi-colon)?

Satheesh_red
Path Finder
‎06-26-2023 12:01 AM

Hi,

I'm trying to extract the matching patterns 35255955, 35226999, 35162846 ...etc untill end of the string with matching one into patch_number field from the string below before <space> and after the ;(semi-colon)

I tried use below rex in regex101.com and tested, which worked for me with  ([^\s<patch_number>]+;)
but when i apply same in Splunk, it's not working, it's giving me error below

query = index = ** sourcetype=** | rex field=_raw "([^\s<patch_number>]+;)"

Error in 'rex' command: The regex '([^\s<patch_number>]+;)' does not extract anything. It should specify at least one named group. Format: (?<name>...).
 
I'm looking at the result for the field - patch_number is 35255955,35226999,35162846 ....etc in splunk

 

Event String:-
Domain=dfs1_sit2_osb 35255955;SOA Bundle Patch 12.2.1.4.230404 35226999;WLS PATCH SET UPDATE 12.2.1.4.230328 35162846;FMW Thirdparty Bundle Patch 12.2.1.4.230309 35159582;OWSM BUNDLE PATCH 12.2.1.4.230308 35148842;ADF BUNDLE PATCH 12.2.1.4.230306 35035861;RDA release 23.2-20230418 for OFM 12.2.1.4 SPB 33950717;OPSS Bundle Patch 12.2.1.4.220311 1221417;Coherence Cumulative Patch 12.2.1.4.17 34765492; 34542329;One-off 33639718;33639718 - ADR FOR WEBLOGIC SERVER 12.2.1.4.0 JUL CPU 2022 33903365;One-off 32720458;JDBC 19.3.0.0 FOR CPUJAN2022 (WLS 12.2.1.4, WLS 14.1.1) 33093748;One-off 32455874;One-off 32121987;OSB Bundle Patch 12.2.1.4.201105 31101362; 30997624;One-off 30741105;One-off 30700379;One-off 30455072;One-off 28970552;One-off 26573463;One-off 22526026;One-off 18387355;One-off OPatch succeeded.

 

Kindly help me.

 

Regards,

Satheesh 

 

Labels (2)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-26-2023 09:44 AM

To find multiple matches of a string with the rex command, use the max_match=n option.  max_match=0 will return all matches.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-26-2023 08:46 AM

While the regex may be valid, it does not contain a named capture group, which is why the error was thrown.  Try this command.

query = index = ** sourcetype=** | rex field=_raw "\s(?<patch_number>[^;]+);"
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Satheesh_red
Path Finder
‎06-26-2023 09:17 AM

Thanks for the reply @richgalloway 

When I use this | rex field=_raw "\s(?<patch_number>[^;]+);" I get no errors but which is giving only one patch set number in the patch_number field, which is 35255955. Will it be possible to find all the matched patterns separated by a comma? like below from the complete string. 

The expected outcome should be like for patch_number filed is 35255955,35226999,35162846,35159582,35148842,35035861,33950717,1221417, ...etc

 

Regards,

Satheesh

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-26-2023 09:44 AM

To find multiple matches of a string with the rex command, use the max_match=n option.  max_match=0 will return all matches.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Satheesh_red
Path Finder
‎06-26-2023 10:15 PM

Thankyou for your help @richgalloway 

it's worked. Appreciated your help. 

 

Regards,

Satheesh

Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top