Splunk Search

How to use regex command to match a certain amount of characters in a field?

showard22
New Member

I want to use Splunk to match on a field name for accounts with exactly 4 characters, all numbers and letters.

I keep trying:

index=corp sourcetype=importantlogs | fields Account EventType | regex Account="[a-zA-Z0-9]{4}"

I feel like I'm overlooking something super simple and I've been stuck on this for a few hours. Any outsider thoughts?

0 Karma

DalJeanis
Legend

woodcock has a good answer, once you change the period to a more limited character class (\w is the simplest) For the same effect of keeping only accounts that are exactly 4 "word" characters, you could also use...

| where like(Account, "^\w{4}$"
0 Karma

woodcock
Esteemed Legend

You did not anchor it; try this:

index=corp sourcetype=importantlogs | fields Account EventType | regex Account="^.{4}$"
0 Karma

DalJeanis
Legend

Need a smaller character class, only letters and numbers.

0 Karma

woodcock
Esteemed Legend

A simpler match character is more efficient and worth the infinitesimally small risk of a false positive.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...