How to use regex command to match a certain amount...

showard22 · ‎03-20-2017

I want to use Splunk to match on a field name for accounts with exactly 4 characters, all numbers and letters.

I keep trying:

index=corp sourcetype=importantlogs | fields Account EventType | regex Account="[a-zA-Z0-9]{4}"

I feel like I'm overlooking something super simple and I've been stuck on this for a few hours. Any outsider thoughts?

DalJeanis · ‎03-20-2017

woodcock has a good answer, once you change the period to a more limited character class (\w is the simplest) For the same effect of keeping only accounts that are exactly 4 "word" characters, you could also use...

| where like(Account, "^\w{4}$"

woodcock · ‎03-20-2017

You did not anchor it; try this:

index=corp sourcetype=importantlogs | fields Account EventType | regex Account="^.{4}$"

DalJeanis · ‎03-20-2017

Need a smaller character class, only letters and numbers.

woodcock · ‎03-21-2017

A simpler match character is more efficient and worth the infinitesimally small risk of a false positive.

How to use regex command to match a certain amount of characters in a field?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?

How to use regex command to match a certain amount of characters in a field?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside