Splunk Search

How to extract two strings from my sample data and concatenate them as one field value?

IRHM73
Motivator

Hi,

I wonder whether someone may be able to help me please.

I'm trying to extract the "1234567/123" from the string below, but I'd like the final output to be "1234567123".

"/for/1234567/123/AB1+2BC

I did come up with the following "\/for\/(?<refno>[^\/]+)\/(?<refno2>[^\/]+)\/, but I wasn't sure about how to join the "refno" and refno2". I also wasn't sure if there was a more elegant way of doing this.

I just wondered whether someone could possibly look at this please and offer some guidance on how I may go about achieving this.

Many thanks and kind regards

Chris

0 Karma
1 Solution

nravichandran
Communicator

just use | STRCAT refno refno2 NewRef | table NewRef

View solution in original post

woodcock
Esteemed Legend

Assuming you have this string in a field called reference, which can be simulated like this:

|stats count|eval reference = "/for/1234567/123/AB1+2BC"

Then you can do it like this:

| eval refno=reference
| rex field=refno mode=sed "s%/[^/]+/([^/]+)/([^/]+).*%\1\2%"
0 Karma

nravichandran
Communicator

just use | STRCAT refno refno2 NewRef | table NewRef

IRHM73
Motivator

Hi, thank you for taking the time to reply to my post.

The solution is great.

Kind Regards

Chris

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If you're extracting this refno from an existing field (say source), then try something like this

your base search | eval refno=replace(source,"\/for\/([^\/]+)\/([^\/]+)\/","\1\2")
0 Karma

IRHM73
Motivator

Hi @somesoni2, thank you for coming back to me with this.

Unfortunately I wasn't able to use this because I needed to extract the information from the raw data. When I used '_raw' as the replacement to 'source', this didn't extract the information, so I assumed the field where the regex is extracting the data from must be a definitive field.

Kind Regards

Chris

0 Karma

javiergn
SplunkTrust
SplunkTrust

Try this (without the first two lines I've used for testing of course):

| stats count
| eval _raw = "/for/1234567/123/AB1+2BC"
| rex max_match=0 "(?<mynum>\d+)\/"
| eval mynum = mvjoin(mynum,"")
0 Karma

IRHM73
Motivator

Hi @javiergn, thank you for coming back to me with this.

I was able to extract the data which was great, but when it came the join, it repeated the number in the field.

Many thanks and kind regards

Chris

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you're doing this in a search query you can join the fields using eval.

... | rex "\/for\/(?<refno>[^\/]+)\/(?<refno2>[^\/]+)\/" | eval refno=refno . refno2 | ...
---
If this reply helps you, Karma would be appreciated.

IRHM73
Motivator

Hi @richgalloway, thank you for taking the time to reply and for the solution which works great. Just pipped to the post by @nravichandran

Kind Regads

Chris

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...