Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use regex command to match a certain amount of characters in a field?

showard22
New Member
‎03-20-2017 03:47 PM

I want to use Splunk to match on a field name for accounts with exactly 4 characters, all numbers and letters.

I keep trying: 

index=corp sourcetype=importantlogs | fields Account EventType | regex Account="[a-zA-Z0-9]{4}"

I feel like I'm overlooking something super simple and I've been stuck on this for a few hours. Any outsider thoughts?

0 Karma
Reply

DalJeanis
Legend
‎03-20-2017 09:03 PM

woodcock has a good answer, once you change the period to a more limited character class (\w is the simplest) For the same effect of keeping only accounts that are exactly 4 "word" characters, you could also use...

| where like(Account, "^\w{4}$"
0 Karma
Reply

woodcock
Esteemed Legend
‎03-20-2017 06:23 PM

You did not anchor it; try this:

index=corp sourcetype=importantlogs | fields Account EventType | regex Account="^.{4}$"
0 Karma
Reply

DalJeanis
Legend
‎03-20-2017 08:58 PM

Need a smaller character class, only letters and numbers.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-21-2017 07:25 AM

A simpler match character is more efficient and worth the infinitesimally small risk of a false positive.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top