Splunk Search
Highlighted

How to use regex on a field's value in a search?

Engager
index=system* sourcetype=inventory  order=829

I am trying to extract the 3 digit field number in this search with rex to search all entries with only the three digit code. I tried:

index=system* sourcetype=inventory  (rex field=order "\d+")
index=system* sourcetype=inventory  (rex field=order "(\d+)")
index=system* sourcetype=inventory  (rex field=order "[0-9]{3}")

What is the correct way to do this?

Thanks!

0 Karma
Highlighted

Re: How to use regex on a field's value in a search?

SplunkTrust
SplunkTrust

Hi splunkuser21,

try this:

index=system* sourcetype=inventory  | rex field=order "(?<myOrder>\d{3})" | search myOrder=*

This will create a new field called myOrder which can be searched further down the search pipe.
Hope this helps ...

cheers, MuS

View solution in original post

Highlighted

Re: How to use regex on a field's value in a search?

SplunkTrust
SplunkTrust

You could also simply search for all orders below 1000 this will also return all order containing 3 digits:

index=system* sourcetype=inventory  order<1000
0 Karma
Highlighted

Re: How to use regex on a field's value in a search?

Engager

Thanks @MuS !

0 Karma
Highlighted

Re: How to use regex on a field's value in a search?

New Member

You can also use

index=system* sourcetype=inventory | regex order="\d{3}"

0 Karma