Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use regex to extract strings for a field instead of eval?

akshaykaul
Explorer
‎05-10-2016 08:46 PM

hi,

I am trying to extract billing info from a field and use them as two different columns in my stats table.

Example field values:

SC=$170 Service IDL120686730
SNC=$170 Service IDL120686730

Currently I am using eval:

| eval fee=substr(Work_Notes,1,8)
| eval service_IDL=substr(Work_Notes,16,32) 
|table fee service_IDL

to get fee as SC=$170 and service_IDL as IDL120686730, but since the original string is manually entered hence using substr ma not be efficient in case user puts extra spaces extra or if SNC=$0

So is there a way I can use regex to extract the two fields from original string "SNC=$170 Service IDL120686730"
Don't have much experience using regex so would appreciate any help!

thank you in advance.

0 Karma
Reply

sundareshr
Legend
‎05-11-2016 10:12 AM

See if this works for you

.... | rex field=Work_Notes "(?<grp>[SNC]+)\s*=\s*(?<fee>\$\s*\d+)\s*Service\s*IDL(?<idl>\d+)" | table grp fee idl
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎05-10-2016 10:56 PM

If your raw event contains:

SNC=$170 Service IDL120686730

You can use the following regex..

<base search> | regex field=_raw "SNC=(?<snc>[^\s]+)\sService\s(?<idl>.*)" | table snc idl

Note that this assumes the end of the message is the IDL120686730

If there is more text after this, you need to change the regex a bit..

Reply

akshaykaul
Explorer
‎05-11-2016 12:58 AM

Thank you for your response.

I am intrested in raw event containing both:
SNC=$170 Service IDL120686730 OR
SC=$170 Service IDL120686730
which I filter using the CASE statement as shown below.

I tried to use the regex for SNC but I might be missing something.
Error in 'SearchOperator:regex': Usage: regex (=|!=) 

  index=sdp-fr sourcetype=sdp_remedy_workorders_worknotes | join Work_Order_ID [search  index=sdp-fr sourcetype=sdp_remedy_Workorders] 
     | search Company="*"  Work_Order_ID=* Status="*" 
     | eval TARGET=CASE(
                       Work_Notes LIKE "%SC=%",1,       
                       Work_Notes LIKE "%SNC=%",2) 
     | search TARGET=1 OR TARGET=2
     | regex Work_Notes=_raw "SNC=(?<snc>[^\s]+)\sService\s(?<idl>.*)" 
     | rename Actual_End_Date AS Closing_Date 
     | table Company Customer Work_Order_ID Submit_Date Closing_Date  Work_Order_Type Status Submitter Summary Support_Group  Work_Notes  Work_Log_ID snc idl
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎05-11-2016 01:00 AM

This should be field=_raw, not Work_Notes=_raw.

0 Karma
Reply

akshaykaul
Explorer
‎05-11-2016 01:10 AM

| regex field=_raw "SNC=(?[^\s]+)\sService\s(?.*)"

still got the same error.
as you can see I am trying to fetch the fields IDL and SNC from the Work_Notes field.
the whole raw event is :

 Work_Log_ID=CWL000000164885 Work_Order_ID=WO0000000050093 Submit_Date=1462945570 Work_Log_Type="General Information" Submit_Time="2016-05-11 17:46:10.000       " Work_Notes="SC=$170 Service IDL100611944\x00"
0 Karma
Reply

akshaykaul
Explorer
‎05-11-2016 01:12 AM 
index=sdp-fr sourcetype=sdp_remedy_workorders_worknotes | join Work_Order_ID [search  index=sdp-fr sourcetype=sdp_remedy_Workorders] 
 | search Company="*"  Work_Order_ID=* Status="*" 
 | eval TARGET=CASE(
                   Work_Notes LIKE "%SC=%",1,       
                   Work_Notes LIKE "%SNC=%",2) 
 | search TARGET=1 OR TARGET=2
 | regex field=_raw "SNC=(?<snc>[^\s]+)\sService\s(?<idl>.*)" 
 | rename Actual_End_Date AS Closing_Date 
 | table Company Customer Work_Order_ID Submit_Date Closing_Date  Work_Order_Type Status Submitter Summary Support_Group  Work_Notes  Work_Log_ID snc idl
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎05-11-2016 01:16 AM

Is the raw event SC= or SNC= ..

You have posted both. If its both, you should adjust the regex.. to 

.. | regex field=_raw "(SN|SNC)=(?<snc>[^\s]+)\sService\s(?<idl>.*)" | ..
0 Karma
Reply

akshaykaul
Explorer
‎05-11-2016 01:20 AM

the raw event can have either SC or SNC
but not both for an individual event
thats why i am fetching both the events by using
| eval TARGET=CASE(
Work_Notes LIKE "%SC=%",1,

Work_Notes LIKE "%SNC=%",2)
| search TARGET=1 OR TARGET=2

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top