Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to write regex to extract three digit numb...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
karthikTIL
Path Finder
09-17-2014
09:57 PM
HI,
I have source file test.csv which has words like "abc-234 " , "456", "df 654", "er567 -ly".
In all the above words, i want to take only three digit numbers and assign to a field called "eng".
Please let me know how would be the regular expression would be?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
09-17-2014
10:49 PM
Hi karthikTIL,
use something like this:
your base search here | rex "(?<eng>\d{3})" | ...
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
09-17-2014
10:49 PM
Hi karthikTIL,
use something like this:
your base search here | rex "(?<eng>\d{3})" | ...
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
karthikTIL
Path Finder
09-17-2014
10:58 PM
HI MuS,
sorry, i forgot to add.
All my words occur after "Title #:"
e.g. Title #: df 654
so i used,
your base search here | rex "Title #:(?\d{3})" | ...
but it did not give any result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
09-17-2014
11:17 PM
Sure this will not work, because this regex does not match and you did not specify a field name for the group.
Why didn't you try the regex I provided? This will catch all 3 digit numbers, no matter what comes before or after.
But if you really need to match only the Title #: numbers use something like this:
your base search here | rex "Title\s\#\:[\s\w\-]+(?<eng>\d{3})" | ...
and please don't use your base search here as your search, this is only a place holder 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
karthikTIL
Path Finder
09-17-2014
11:51 PM
Thanks MuS, it worked now.
actually i specified field in my query earlier, but it was not displayed in my query above:)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
09-17-2014
11:53 PM
you're welcome. please mark this as answered if the provided answer was correct - thx
Get Updates on the Splunk Community!
Splunk ITSI & Correlated Network Visibility
Now On Demand
Take Your Network Visibility to the Next Level
In today’s complex IT environments, ...
Community Content Calendar, August edition
In the dynamic world of cybersecurity, staying ahead means constantly solving new puzzles and optimizing your ...
Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust
Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...
