Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a regex for string followed by number?

arjun_krishna
Explorer
‎08-20-2018 03:41 AM

Below are my 3 logs, i want to write a query, to get all the below 3 logs:

**EXT_CODE*[0-9]** with 1/2/3 digit followed by EXT_CODE

index="zync*"|EXT_CODE2=AB003|EXT_CODE35=BC003|EXT_CODE4=CA010|GEN_CODE14=CD010
index="zync*"CDT|EXT_CODE4=XY005|EXT_CODE42=DE040|EXT_CODE4=ZQ019|GEN_CODE11=PY016
index="zync*"|EXT_CODE5=PC099|EXT_CODE22=BC054|EXT_CODE4=ZC018|GEN_CODE11=ZV010

Can some one please suggest the query

my query: index="zync*" EXT_CODE[0-9]*="*"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mhoogcarspel_sp
Splunk Employee
Splunk Employee
‎08-20-2018 06:27 AM

provided that that is the _raw, if you just need to find the events you can use the regex command:

| makeresults

| eval _raw="EXT_CODE5=PC099|EXT_CODE22=BC054|EXT_CODE4=ZC018|GEN_CODE11=ZV010"
| regex "(EXT|GEN)_CODE\d{1,3}="

View solution in original post

Reply
Solved! Jump to solution
Solution

mhoogcarspel_sp
Splunk Employee
Splunk Employee
‎08-20-2018 06:27 AM

provided that that is the _raw, if you just need to find the events you can use the regex command:

| makeresults

| eval _raw="EXT_CODE5=PC099|EXT_CODE22=BC054|EXT_CODE4=ZC018|GEN_CODE11=ZV010"
| regex "(EXT|GEN)_CODE\d{1,3}="

Reply
Solved! Jump to solution

arjun_krishna
Explorer
‎08-20-2018 06:47 AM

regex "EXT_CODE\d{1,3}="
This is working for me , but i want both EXT_CODE & GEN_CODE followed by 1/2/3 digit followed (Eg: GEN_CODE017 (or) GEN_CODE001 (or) GEN_CODE999 (or) EXT_CODE017 (or) EXT_CODE001 (or) EXT_CODE999 (or) ......)

0 Karma
Reply
Solved! Jump to solution

tomawest
Path Finder
‎08-20-2018 08:46 AM

Does this work? regex "(EXT_CODE\d{1,3}=|GEN_CODE\d{1,3}=)

0 Karma
Reply
Solved! Jump to solution

arjun_krishna
Explorer
‎08-20-2018 07:07 AM

@mhoogcarspel , Please respond

0 Karma
Reply
Solved! Jump to solution

mhoogcarspel_sp
Splunk Employee
Splunk Employee
‎08-20-2018 08:47 AM

Missed that part

(EXT|GEN)_CODE\d{1,3}=

should work for that

btw, I use regex101 for a lot of these things:
https://regex101.com/r/RfKqEt/2
really great tool

0 Karma
Reply
Solved! Jump to solution

arjun_krishna
Explorer
‎08-21-2018 02:55 AM

Great its working for me

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎08-20-2018 04:38 AM

can you please share some sample logs and what you need to extract..

0 Karma
Reply
Solved! Jump to solution

arjun_krishna
Explorer
‎08-20-2018 05:14 AM

log1: index="zync*"|EXT_CODE2=AB003|EXT_CODE35=BC003|EXT_CODE4=CA010|GEN_CODE14=CD010
log2: index="zync*"CDT|EXT_CODE4=XY005|EXT_CODE42=DE040|EXT_CODE4=ZQ019|GEN_CODE11=PY016
log3: index="zync*"|EXT_CODE5=PC099|EXT_CODE22=BC054|EXT_CODE4=ZC018|GEN_CODE11=ZV010

from multiple logs, i have to get above logs which are having EXT_CODE followed by 1/2/3 digit followed (Eg: EXT_CODE017 (or) EXT_CODE001 (or) EXT_CODE999 (or) ......)

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...