Solved: Re: How to make a field extraction with field with...

Mike6960 · ‎12-06-2022

Hi,

I am struggeling with field extractions. I have two fields that I want to extract. But the problem is sometimes te value is in 'Documentid : 123456789' and sometimes in 'DocumentId 123456789' so without the :

Is it possible to make an extraction that extracts only the numbers after 'DocumentId' ?

ITWhisperer · ‎12-06-2022

So, is your actual example with either a space or a colon but not both?

 | rex "DocumentId(:| )(?<documentid>\d+)"

It might help if you paste your examples in a code block </> so it doesn't get auto-formatted

View solution in original post

Mike6960 · ‎12-06-2022

@ITWhisperer Thank you. I made a mistake with he examples

DocumentId 47335252

DocumentId:47337177

I changed your regex to : | rex DocumentId:?(?<documentid>\d+) but then it does not recognize the first example (DocumentId:47337177 ) I wish I could understand regex more to fix it myself

ITWhisperer · ‎12-06-2022

So, is your actual example with either a space or a colon but not both?

 | rex "DocumentId(:| )(?<documentid>\d+)"

It might help if you paste your examples in a code block </> so it doesn't get auto-formatted

Mike6960 · ‎12-06-2022

Yes, its either colon or a space. Your last reply worked. Thank you

ITWhisperer · ‎12-06-2022

Assuming it is just the colon that is missing and the two spaces are there:

| rex "Documentid :? (?<documentid>\d+)"

How to make a field extraction with field with and without ':'?

field extraction

regex

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM