Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I need help finding a substring and setting it to display in a new field.

dlespron
Path Finder
‎01-08-2014 08:30 AM

I am sure this is probably a noob question, but I am a noob and I have been researching this for a while this morning and am not having any luck. Maybe you can help!

Ok, I am pulling a query from a log file that returns a random string of text such as:

xxxxxxxxxxxxxxxxxxxxxxxxxx11=123456xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

What I would like to do is take that 11= value and set it to a new field called OrderID, whereas the 123456 which just show up in the order ID field. Any help or insight on this would be great!

Thanks again!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎01-08-2014 08:45 AM

Try 

yoursearch |rex ".*[1][1]=(?P<orderID>\d+)\D"

This should create a field from _raw named orderID.

Explaination:

rex used without a field= will extract from _raw

The expression needs to be enclosed in quotes.

.* means any sequence of characters or symbols.

[1][1] means exactly the number 11

= is not a regular expression, so it is not escaped and means exactly the symbol =.

(?P<orderid>\d+) is the capture group.

? means not lazy, or grab the first occurance.

P stands for pull the value and name it orderid.

<orderid> sets field name for the extracted value, in this case we're going to call it orderid.

\d+ means one or more digit. So, what we have so far is, grab one or more digits after 11= as value for the field orderid.

\D means not a digit. So, it says stop grabbing digits for the value when a non-digit is encountered.

View solution in original post

Reply
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎01-08-2014 08:45 AM

Try 

yoursearch |rex ".*[1][1]=(?P<orderID>\d+)\D"

This should create a field from _raw named orderID.

Explaination:

rex used without a field= will extract from _raw

The expression needs to be enclosed in quotes.

.* means any sequence of characters or symbols.

[1][1] means exactly the number 11

= is not a regular expression, so it is not escaped and means exactly the symbol =.

(?P<orderid>\d+) is the capture group.

? means not lazy, or grab the first occurance.

P stands for pull the value and name it orderid.

<orderid> sets field name for the extracted value, in this case we're going to call it orderid.

\d+ means one or more digit. So, what we have so far is, grab one or more digits after 11= as value for the field orderid.

\D means not a digit. So, it says stop grabbing digits for the value when a non-digit is encountered.

Reply
Solved! Jump to solution

dlespron
Path Finder
‎01-09-2014 08:55 AM

THAT WORKED! Thanks so much you are awesome! Also, I greatly appreciate you taking the time to provide explanation, this is all very helpful to a Splunk noob like myslef!

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎01-09-2014 08:34 AM

Some how an error was introduced from the original formula. It is missing slashes and should be:
search ErrorMessage | rex ".*[1][1]=(?P<orderid>\d+)\D" | table orderid

Reply
Solved! Jump to solution

dlespron
Path Finder
‎01-09-2014 08:21 AM

I feel like I am just missing something simple, can you break down this part ".*[1][1]=(?Pd+)D" and tell me exactly what each part is doing? I have a general understanding but maybe your explanation might clear things up for me!

Thanks again!

0 Karma
Reply
Solved! Jump to solution

dlespron
Path Finder
‎01-08-2014 10:48 AM

still no luck, but I am working on it, thanks for your help!

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎01-08-2014 10:07 AM

Try:
search ErrorMessage | rex ".*[1][1]=(?P<orderid>d+)D" | table orderid

Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎01-08-2014 10:06 AM

Your problem might be a case issue. orderid does not equal OrderID Fields are case sensitive.
I've retested and it works fine for me...

Reply
Solved! Jump to solution

dlespron
Path Finder
‎01-08-2014 09:55 AM

this is piece of the raw output where the 11= shows, and no other 11= are in here

\x150=ABCD\x1128=ABCD\x11=73563269\x155=ABCD\x154=1

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎01-08-2014 09:46 AM

Is the 11= showing up anywhere else?
Can you post a the `_raw' output from one of the events?

Reply
Solved! Jump to solution

dlespron
Path Finder
‎01-08-2014 09:44 AM

thaks so much for your help, any other thoughts on why its not working for me? Again, this is my query: search ErrorMessage | rex ".*[1][1]=(?Pd+)D" | table OrderID

but the OrderID field is just showing as blank...

0 Karma
Reply
Solved! Jump to solution

dlespron
Path Finder
‎01-08-2014 09:16 AM

hmm, I tried again with updated code and still doesnt seem to pull the number, still just seeing an empty OrderID field. I am fairly new to using splunk, so it's probably user error, but I just tried with: search ErrorMessage | rex ".*[1][1]=(?P\d+)\D" | table OrderID

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎01-08-2014 09:07 AM

I updated the code so it specifically looks for "11=" and grabs the value after that. It will stop grabbing numbers when it hits a non-digit, and it assumes there are no spaces between the = and the value you're after.

Reply
Solved! Jump to solution

dlespron
Path Finder
‎01-08-2014 09:07 AM

doesnt seem to work, it is creating a new field called OrderID, but it is coming up empty! 😞

This is my search: search ErrorMessage | rex ".*\d\d=(?P\d+)\D" | table OrderID

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎01-08-2014 08:54 AM

The above code should do it. It grabs the value after the = and puts it in a new field called orderID.

Reply
Solved! Jump to solution

dlespron
Path Finder
‎01-08-2014 08:50 AM

thanks, I am ok on the understanding of creating a new field, what I am having trouble with is taking the 11=123465 and then just returning 123456 in that OrderID field.

0 Karma
Reply
Solved! Jump to solution

dlespron
Path Finder
‎01-08-2014 08:41 AM

sorry! ok the xxxx's are just to represent the random text that may precede or follow the 11= value. yes the value is always preceded by 11=. For the sake of simplicity and my understanding lets just say it is always a number. This text is just being pulled from the _raw field.

Thanks!

0 Karma
Reply
Solved! Jump to solution

sbsbb
Builder
‎01-08-2014 08:38 AM

Hi,

I'm not sure what you wan't

If you wan't a field OrderID with a value "11=123456"
I would make something like
| rex "(?P\d*\=\d*)"

I you need a field 11, that has a value 123456, I don't know

Reply
Solved! Jump to solution

dlespron
Path Finder
‎01-08-2014 08:52 AM

sorry! to clarify, I would like to find the "11=123456" and then just return the 123456 in the OrderID field. The 123456 is just for example, this could be any random number following the "11="

Thanks!

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎01-08-2014 08:37 AM

Are the xxx's for real? Is the value always preceded by 11=? Is the value always a number? What is the name of the field that contains the random string of text?

Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top