Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract seven digit number with no special characters or white space before/after?

rhenry
Explorer
‎03-04-2022 05:41 AM

Hello,

I am attempting to extract from a field a seven digit number which can sometimes have a space or special character such as # in front of it. I want to be able to output it such that the new field only returns the seven digit number, no special characters or white space before and after. Also, I want to set it such that it will exclude where the seven digit number begins with zero. So far, I have only been able to come up with and tried the following in regular expression:

(?<Field1>\d\d\d\d\d\d\d) *Pulls less than seven digits as well; need exactly seven.

(?<Field1>[^a-zA-Z]\d{7}) *Does not omit special characters before it and pulls seven digit numbers of 0000000 (want to exclude these).

Can I get some assistance on what the correct regular expression is to be able to pull a seven digit number with no special characters or space before/after and not all zeroes? Thanks!

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-04-2022 06:03 AM

Hi @rhenry,

if you always have "#" before the number, you could use something like this:

| rex "\#(?<ID>\d{7})"

that you can test at https://regex101.com/r/aQEFp4/1

if there could be other conditions, please share some example.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-04-2022 05:46 AM

Does this work for you?

(?<Field1>[1-9]\d{6})
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-04-2022 05:44 AM

Hi @rhenry,

could you share some sample of your logs, highlighting the part of logs to take.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

rhenry
Explorer
‎03-04-2022 05:55 AM

I can give an example:

“The analysis of the log shows for website http://www.somewebsite.com/url-id/1234567abc124def343 there was a malicious attack, ID #1234567.”

In the example above, I only want to pull the second number with ID in front of it. I do not want to pull the seven digit number in the url above. Does that make sense?

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-04-2022 06:03 AM

Hi @rhenry,

if you always have "#" before the number, you could use something like this:

| rex "\#(?<ID>\d{7})"

that you can test at https://regex101.com/r/aQEFp4/1

if there could be other conditions, please share some example.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

rhenry
Explorer
‎03-04-2022 06:20 AM

This is helpful.

So, drilling down on the first example, I want to be be able to specifically locate where it begins with "ID" and then capture that seven digit number afterward. I might have some cases where a different word would appear before it (i.e. "Investigation" or "Incident"). Is it possible to write a regular expression where it will look for multiple words and capture the seven digit number following it? Thanks!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-04-2022 06:38 AM

Hi @rhenry,

yes it's possible, but to help you I need some examples of the various logs that's possible to parse.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

rhenry
Explorer
‎03-04-2022 10:33 AM

I think I have found the solution to my problem. Thanks!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-04-2022 10:24 PM

Hi @rhenry,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contyributors  😉

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-04-2022 06:25 AM 
(incident\s|investigation\s|ID\s\#)(?<ID>[1-9]\d\d\d\d\d\d)
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top