Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to write regex to extract three digit numbers ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
karthikTIL
Path Finder
09-17-2014
09:57 PM
HI,
I have source file test.csv which has words like "abc-234 " , "456", "df 654", "er567 -ly".
In all the above words, i want to take only three digit numbers and assign to a field called "eng".
Please let me know how would be the regular expression would be?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
09-17-2014
10:49 PM
Hi karthikTIL,
use something like this:
your base search here | rex "(?<eng>\d{3})" | ...
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
09-17-2014
10:49 PM
Hi karthikTIL,
use something like this:
your base search here | rex "(?<eng>\d{3})" | ...
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
karthikTIL
Path Finder
09-17-2014
10:58 PM
HI MuS,
sorry, i forgot to add.
All my words occur after "Title #:"
e.g. Title #: df 654
so i used,
your base search here | rex "Title #:(?\d{3})" | ...
but it did not give any result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
09-17-2014
11:17 PM
Sure this will not work, because this regex does not match and you did not specify a field name for the group.
Why didn't you try the regex I provided? This will catch all 3 digit numbers, no matter what comes before or after.
But if you really need to match only the Title #: numbers use something like this:
your base search here | rex "Title\s\#\:[\s\w\-]+(?<eng>\d{3})" | ...
and please don't use your base search here as your search, this is only a place holder 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
karthikTIL
Path Finder
09-17-2014
11:51 PM
Thanks MuS, it worked now.
actually i specified field in my query earlier, but it was not displayed in my query above:)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
09-17-2014
11:53 PM
you're welcome. please mark this as answered if the provided answer was correct - thx
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
