Solved: How to extract numbers correctly

pomazanelvira · ‎03-19-2020

Hi!
I have this field in my log: callerSipNumber="18121710_text". How should I extract "18121710" and name it "number"?
I've tried |rex field=callerSipNumber "((?)[_\w+])". But it didn't give anything. Thanks a lot!

richgalloway · ‎03-19-2020

| rex field=callerSipNumber "(?<number>\d+)" will do it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

vnravikumar · ‎03-19-2020

Hi

Try this

| makeresults 
| eval test="callerSipNumber=\"18121710_text\"" 
| rex field=test "callerSipNumber=\"(?P<result>[\d]+)"

pomazanelvira · ‎03-19-2020

thank u for "makeresults" function

richgalloway · ‎03-19-2020

| rex field=callerSipNumber "(?<number>\d+)" will do it.

---
If this reply helps you, Karma would be appreciated.

pomazanelvira · ‎03-19-2020

thanks a lot!

How to extract numbers correctly

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation