Solved: How to write regex to extract three digit numbers ...

karthikTIL · ‎09-17-2014

HI,

I have source file test.csv which has words like "abc-234 " , "456", "df 654", "er567 -ly".
In all the above words, i want to take only three digit numbers and assign to a field called "eng".
Please let me know how would be the regular expression would be?

MuS · ‎09-17-2014

Hi karthikTIL,

use something like this:

your base search here | rex "(?<eng>\d{3})" | ...

hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎09-17-2014

Hi karthikTIL,

use something like this:

your base search here | rex "(?<eng>\d{3})" | ...

hope this helps ...

cheers, MuS

karthikTIL · ‎09-17-2014

HI MuS,

sorry, i forgot to add.
All my words occur after "Title #:"
e.g. Title #: df 654

so i used,

your base search here | rex "Title #:(?\d{3})" | ...

but it did not give any result

MuS · ‎09-17-2014

Sure this will not work, because this regex does not match and you did not specify a field name for the group.
Why didn't you try the regex I provided? This will catch all 3 digit numbers, no matter what comes before or after.
But if you really need to match only the Title #: numbers use something like this:

your base search here | rex "Title\s\#\:[\s\w\-]+(?<eng>\d{3})" | ...

and please don't use your base search here as your search, this is only a place holder 😉

karthikTIL · ‎09-17-2014

Thanks MuS, it worked now.
actually i specified field in my query earlier, but it was not displayed in my query above:)

MuS · ‎09-17-2014

you're welcome. please mark this as answered if the provided answer was correct - thx

How to write regex to extract three digit numbers from a CSV file and assign the values to a new field?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?