Solved: How to extract two strings from my sample data and...

IRHM73 · ‎04-11-2016

Hi,

I wonder whether someone may be able to help me please.

I'm trying to extract the "1234567/123" from the string below, but I'd like the final output to be "1234567123".

"/for/1234567/123/AB1+2BC

I did come up with the following "\/for\/(?<refno>[^\/]+)\/(?<refno2>[^\/]+)\/, but I wasn't sure about how to join the "refno" and refno2". I also wasn't sure if there was a more elegant way of doing this.

I just wondered whether someone could possibly look at this please and offer some guidance on how I may go about achieving this.

Many thanks and kind regards

Chris

nravichandran · ‎04-11-2016

just use | STRCAT refno refno2 NewRef | table NewRef

View solution in original post

woodcock · ‎04-11-2016

Assuming you have this string in a field called reference, which can be simulated like this:

|stats count|eval reference = "/for/1234567/123/AB1+2BC"

Then you can do it like this:

| eval refno=reference
| rex field=refno mode=sed "s%/[^/]+/([^/]+)/([^/]+).*%\1\2%"

nravichandran · ‎04-11-2016

just use | STRCAT refno refno2 NewRef | table NewRef

IRHM73 · ‎04-11-2016

Hi, thank you for taking the time to reply to my post.

The solution is great.

Kind Regards

Chris

somesoni2 · ‎04-11-2016

If you're extracting this refno from an existing field (say source), then try something like this

your base search | eval refno=replace(source,"\/for\/([^\/]+)\/([^\/]+)\/","\1\2")

IRHM73 · ‎04-11-2016

Hi @somesoni2, thank you for coming back to me with this.

Unfortunately I wasn't able to use this because I needed to extract the information from the raw data. When I used '_raw' as the replacement to 'source', this didn't extract the information, so I assumed the field where the regex is extracting the data from must be a definitive field.

Kind Regards

Chris

javiergn · ‎04-11-2016

Try this (without the first two lines I've used for testing of course):

| stats count
| eval _raw = "/for/1234567/123/AB1+2BC"
| rex max_match=0 "(?<mynum>\d+)\/"
| eval mynum = mvjoin(mynum,"")

IRHM73 · ‎04-11-2016

Hi @javiergn, thank you for coming back to me with this.

I was able to extract the data which was great, but when it came the join, it repeated the number in the field.

Many thanks and kind regards

Chris

richgalloway · ‎04-11-2016

If you're doing this in a search query you can join the fields using eval.

... | rex "\/for\/(?<refno>[^\/]+)\/(?<refno2>[^\/]+)\/" | eval refno=refno . refno2 | ...

---
If this reply helps you, Karma would be appreciated.

IRHM73 · ‎04-11-2016

Hi @richgalloway, thank you for taking the time to reply and for the solution which works great. Just pipped to the post by @nravichandran

Kind Regads

Chris

How to extract two strings from my sample data and concatenate them as one field value?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor