Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract two strings from my sample data and concatenate them as one field value?

IRHM73
Motivator
‎04-11-2016 07:38 AM

Hi,

I wonder whether someone may be able to help me please.

I'm trying to extract the "1234567/123" from the string below, but I'd like the final output to be "1234567123".

"/for/1234567/123/AB1+2BC

I did come up with the following "\/for\/(?<refno>[^\/]+)\/(?<refno2>[^\/]+)\/, but I wasn't sure about how to join the "refno" and refno2". I also wasn't sure if there was a more elegant way of doing this.

I just wondered whether someone could possibly look at this please and offer some guidance on how I may go about achieving this.

Many thanks and kind regards

Chris

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nravichandran
Communicator
‎04-11-2016 11:50 AM

just use | STRCAT refno refno2 NewRef | table NewRef

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-11-2016 10:39 PM

Assuming you have this string in a field called reference, which can be simulated like this:

|stats count|eval reference = "/for/1234567/123/AB1+2BC"

Then you can do it like this:

| eval refno=reference
| rex field=refno mode=sed "s%/[^/]+/([^/]+)/([^/]+).*%\1\2%"
0 Karma
Reply
Solved! Jump to solution
Solution

nravichandran
Communicator
‎04-11-2016 11:50 AM

just use | STRCAT refno refno2 NewRef | table NewRef

Reply
Solved! Jump to solution

IRHM73
Motivator
‎04-11-2016 11:01 PM

Hi, thank you for taking the time to reply to my post.

The solution is great.

Kind Regards

Chris

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-11-2016 08:09 AM

If you're extracting this refno from an existing field (say source), then try something like this

your base search | eval refno=replace(source,"\/for\/([^\/]+)\/([^\/]+)\/","\1\2")
0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎04-11-2016 10:59 PM

Hi @somesoni2, thank you for coming back to me with this.

Unfortunately I wasn't able to use this because I needed to extract the information from the raw data. When I used '_raw' as the replacement to 'source', this didn't extract the information, so I assumed the field where the regex is extracting the data from must be a definitive field.

Kind Regards

Chris

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎04-11-2016 08:08 AM

Try this (without the first two lines I've used for testing of course):

| stats count
| eval _raw = "/for/1234567/123/AB1+2BC"
| rex max_match=0 "(?<mynum>\d+)\/"
| eval mynum = mvjoin(mynum,"")
0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎04-11-2016 10:56 PM

Hi @javiergn, thank you for coming back to me with this.

I was able to extract the data which was great, but when it came the join, it repeated the number in the field.

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2016 08:05 AM

If you're doing this in a search query you can join the fields using eval.

... | rex "\/for\/(?<refno>[^\/]+)\/(?<refno2>[^\/]+)\/" | eval refno=refno . refno2 | ...
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

IRHM73
Motivator
‎04-11-2016 11:00 PM

Hi @richgalloway, thank you for taking the time to reply and for the solution which works great. Just pipped to the post by @nravichandran

Kind Regads

Chris

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...