Solved: How to use regex on a field's value in a search?

splunkuser21 · ‎11-03-2015

index=system* sourcetype=inventory  order=829

I am trying to extract the 3 digit field number in this search with rex to search all entries with only the three digit code. I tried:

index=system* sourcetype=inventory  (rex field=order "\d+")
index=system* sourcetype=inventory  (rex field=order "(\d+)")
index=system* sourcetype=inventory  (rex field=order "[0-9]{3}")

What is the correct way to do this?

Thanks!

MuS · ‎11-03-2015

Hi splunkuser21,

try this:

index=system* sourcetype=inventory  | rex field=order "(?<myOrder>\d{3})" | search myOrder=*

This will create a new field called myOrder which can be searched further down the search pipe.
Hope this helps ...

cheers, MuS

View solution in original post

skottska · ‎12-18-2018

You can also use

index=system* sourcetype=inventory | regex order="\d{3}"

MuS · ‎11-03-2015

Hi splunkuser21,

try this:

index=system* sourcetype=inventory  | rex field=order "(?<myOrder>\d{3})" | search myOrder=*

This will create a new field called myOrder which can be searched further down the search pipe.
Hope this helps ...

cheers, MuS

MuS · ‎11-03-2015

You could also simply search for all orders below 1000 this will also return all order containing 3 digits:

index=system* sourcetype=inventory  order<1000

splunkuser21 · ‎11-03-2015

Thanks @MuS !

How to use regex on a field's value in a search?

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)