Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract values from a String.

prafulljha
New Member
‎07-12-2017 02:40 AM

Hi i have values in a column like AA(15), ABC(20), ADSF(90).Now i need a regular expression which gives me only values before the Bracket"(".
so i should get AA,ABC,ADSF as my output.
Please help.

Tags (1)
0 Karma
Reply

dsiob
Communicator
‎07-16-2017 11:21 PM

try this:

/*source*/ | eval new=replace(Track,"\([0-9]*\)","")| table Track,new
Reply

pjhae
Engager
‎07-16-2017 11:36 PM

Hi dsiob,

Thanks, it's working fine.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-17-2017 07:24 AM

OK, so go back and UpVote and helpful/correct answer and click Accept on the correctest one.

0 Karma
Reply

vasanthmss
Motivator
‎07-14-2017 11:09 AM

try something like this, 

source="ABC" sourcetype="csv"|where Level="Lvl3" AND Track="ATL(27)"|rex field=Track mode=sed "s/([^)]*)//"|table "Dom", Track Level
V
0 Karma
Reply

woodcock
Esteemed Legend
‎07-12-2017 07:17 PM

Like this:

| makeresults 
| eval Track="ATL(27)" 
| eval 'ATL(27)'=Track 
| rex field="Track" mode=sed "s/\([^)]*\)//" 
| rex field='ATL(27)' mode=sed "s/\([^)]*\)//"
| eval "ATLcopy(27)" = Track
| foreach "*copy(*)" [ rename <<FIELD>> AS "<<MATCHSEG1>>copy" ]
0 Karma
Reply

prafulljha
New Member
‎07-14-2017 03:23 AM

Hi Woodcock,

Can you please let me know what i am doing wrong here.
Basically i want the string value to print when i use it in Table funciton:
So the output should be "AA" when i pass "AA(27)" as input.
Here is my query:
source="ABC" sourcetype="csv"|where Level="Lvl3" and Track="ATL(27)"|rex field="ATL(27)" mode=sed "s/([^)]*)//"|table "Dom","field"

0 Karma
Reply

woodcock
Esteemed Legend
‎07-14-2017 08:57 PM

I am not at all clear about what you are trying to do but I have updated my answer with a mockup of 3 different guesses all in one search. One of them should be like what you are trying to do. See the updated answer.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎07-12-2017 08:16 AM

If you want to get rid of the parentheses and the numeric values in them, use something like:

... | rex field=_raw mode=sed "s/\(\d*\)//g"

If you want to do a single field, use the fieldname instead of _raw. The value will be returned without the parenthesis and numbers, leaving the values you want.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎07-12-2017 06:25 AM

Try this.. It will extract out only the AA, ABC, ADSF.. This will create the a field called FIELD_NAME.. You can change it to whatever name you want

(?<FIELD_NAME>\w+)\(\d+\)

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...