Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract two strings from my sample data and...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IRHM73
Motivator
04-11-2016
07:38 AM
Hi,
I wonder whether someone may be able to help me please.
I'm trying to extract the "1234567/123" from the string below, but I'd like the final output to be "1234567123".
"/for/1234567/123/AB1+2BC
I did come up with the following "\/for\/(?<refno>[^\/]+)\/(?<refno2>[^\/]+)\/, but I wasn't sure about how to join the "refno" and refno2". I also wasn't sure if there was a more elegant way of doing this.
I just wondered whether someone could possibly look at this please and offer some guidance on how I may go about achieving this.
Many thanks and kind regards
Chris
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nravichandran
Communicator
04-11-2016
11:50 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
04-11-2016
10:39 PM
Assuming you have this string in a field called reference, which can be simulated like this:
|stats count|eval reference = "/for/1234567/123/AB1+2BC"
Then you can do it like this:
| eval refno=reference
| rex field=refno mode=sed "s%/[^/]+/([^/]+)/([^/]+).*%\1\2%"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nravichandran
Communicator
04-11-2016
11:50 AM
just use | STRCAT refno refno2 NewRef | table NewRef
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IRHM73
Motivator
04-11-2016
11:01 PM
Hi, thank you for taking the time to reply to my post.
The solution is great.
Kind Regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-11-2016
08:09 AM
If you're extracting this refno from an existing field (say source), then try something like this
your base search | eval refno=replace(source,"\/for\/([^\/]+)\/([^\/]+)\/","\1\2")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IRHM73
Motivator
04-11-2016
10:59 PM
Hi @somesoni2, thank you for coming back to me with this.
Unfortunately I wasn't able to use this because I needed to extract the information from the raw data. When I used '_raw' as the replacement to 'source', this didn't extract the information, so I assumed the field where the regex is extracting the data from must be a definitive field.
Kind Regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
04-11-2016
08:08 AM
Try this (without the first two lines I've used for testing of course):
| stats count
| eval _raw = "/for/1234567/123/AB1+2BC"
| rex max_match=0 "(?<mynum>\d+)\/"
| eval mynum = mvjoin(mynum,"")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IRHM73
Motivator
04-11-2016
10:56 PM
Hi @javiergn, thank you for coming back to me with this.
I was able to extract the data which was great, but when it came the join, it repeated the number in the field.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
04-11-2016
08:05 AM
If you're doing this in a search query you can join the fields using eval.
... | rex "\/for\/(?<refno>[^\/]+)\/(?<refno2>[^\/]+)\/" | eval refno=refno . refno2 | ...
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IRHM73
Motivator
04-11-2016
11:00 PM
Hi @richgalloway, thank you for taking the time to reply and for the solution which works great. Just pipped to the post by @nravichandran
Kind Regads
Chris
Get Updates on the Splunk Community!
The All New Performance Insights for Splunk
Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
