Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use regex command to match a certain amount of characters in a field?

showard22
New Member
‎03-20-2017 03:47 PM

I want to use Splunk to match on a field name for accounts with exactly 4 characters, all numbers and letters.

I keep trying: 

index=corp sourcetype=importantlogs | fields Account EventType | regex Account="[a-zA-Z0-9]{4}"

I feel like I'm overlooking something super simple and I've been stuck on this for a few hours. Any outsider thoughts?

0 Karma
Reply

DalJeanis
Legend
‎03-20-2017 09:03 PM

woodcock has a good answer, once you change the period to a more limited character class (\w is the simplest) For the same effect of keeping only accounts that are exactly 4 "word" characters, you could also use...

| where like(Account, "^\w{4}$"
0 Karma
Reply

woodcock
Esteemed Legend
‎03-20-2017 06:23 PM

You did not anchor it; try this:

index=corp sourcetype=importantlogs | fields Account EventType | regex Account="^.{4}$"
0 Karma
Reply

DalJeanis
Legend
‎03-20-2017 08:58 PM

Need a smaller character class, only letters and numbers.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-21-2017 07:25 AM

A simpler match character is more efficient and worth the infinitesimally small risk of a false positive.

0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...