Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract each set of numbers from a string before space and after a ;(semi-colon)?

Satheesh_red
Path Finder
‎06-26-2023 12:01 AM

Hi,

I'm trying to extract the matching patterns 35255955, 35226999, 35162846 ...etc untill end of the string with matching one into patch_number field from the string below before <space> and after the ;(semi-colon)

I tried use below rex in regex101.com and tested, which worked for me with  ([^\s<patch_number>]+;)
but when i apply same in Splunk, it's not working, it's giving me error below

query = index = ** sourcetype=** | rex field=_raw "([^\s<patch_number>]+;)"

Error in 'rex' command: The regex '([^\s<patch_number>]+;)' does not extract anything. It should specify at least one named group. Format: (?<name>...).
 
I'm looking at the result for the field - patch_number is 35255955,35226999,35162846 ....etc in splunk

 

Event String:-
Domain=dfs1_sit2_osb 35255955;SOA Bundle Patch 12.2.1.4.230404 35226999;WLS PATCH SET UPDATE 12.2.1.4.230328 35162846;FMW Thirdparty Bundle Patch 12.2.1.4.230309 35159582;OWSM BUNDLE PATCH 12.2.1.4.230308 35148842;ADF BUNDLE PATCH 12.2.1.4.230306 35035861;RDA release 23.2-20230418 for OFM 12.2.1.4 SPB 33950717;OPSS Bundle Patch 12.2.1.4.220311 1221417;Coherence Cumulative Patch 12.2.1.4.17 34765492; 34542329;One-off 33639718;33639718 - ADR FOR WEBLOGIC SERVER 12.2.1.4.0 JUL CPU 2022 33903365;One-off 32720458;JDBC 19.3.0.0 FOR CPUJAN2022 (WLS 12.2.1.4, WLS 14.1.1) 33093748;One-off 32455874;One-off 32121987;OSB Bundle Patch 12.2.1.4.201105 31101362; 30997624;One-off 30741105;One-off 30700379;One-off 30455072;One-off 28970552;One-off 26573463;One-off 22526026;One-off 18387355;One-off OPatch succeeded.

 

Kindly help me.

 

Regards,

Satheesh 

 

Labels (2)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-26-2023 09:44 AM

To find multiple matches of a string with the rex command, use the max_match=n option.  max_match=0 will return all matches.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-26-2023 08:46 AM

While the regex may be valid, it does not contain a named capture group, which is why the error was thrown.  Try this command.

query = index = ** sourcetype=** | rex field=_raw "\s(?<patch_number>[^;]+);"
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Satheesh_red
Path Finder
‎06-26-2023 09:17 AM

Thanks for the reply @richgalloway 

When I use this | rex field=_raw "\s(?<patch_number>[^;]+);" I get no errors but which is giving only one patch set number in the patch_number field, which is 35255955. Will it be possible to find all the matched patterns separated by a comma? like below from the complete string. 

The expected outcome should be like for patch_number filed is 35255955,35226999,35162846,35159582,35148842,35035861,33950717,1221417, ...etc

 

Regards,

Satheesh

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-26-2023 09:44 AM

To find multiple matches of a string with the rex command, use the max_match=n option.  max_match=0 will return all matches.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Satheesh_red
Path Finder
‎06-26-2023 10:15 PM

Thankyou for your help @richgalloway 

it's worked. Appreciated your help. 

 

Regards,

Satheesh

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...