Splunk Search

I need help finding a substring and setting it to display in a new field.

Path Finder

I am sure this is probably a noob question, but I am a noob and I have been researching this for a while this morning and am not having any luck. Maybe you can help!

Ok, I am pulling a query from a log file that returns a random string of text such as:

xxxxxxxxxxxxxxxxxxxxxxxxxx11=123456xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

What I would like to do is take that 11= value and set it to a new field called OrderID, whereas the 123456 which just show up in the order ID field. Any help or insight on this would be great!

Thanks again!

Tags (3)
0 Karma
1 Solution

Super Champion

Try

yoursearch |rex ".*[1][1]=(?P<orderID>\d+)\D"

This should create a field from _raw named orderID.

Explaination:

rex used without a field= will extract from _raw

The expression needs to be enclosed in quotes.

.* means any sequence of characters or symbols.

[1][1] means exactly the number 11

= is not a regular expression, so it is not escaped and means exactly the symbol =.

(?P<orderid>\d+) is the capture group.

? means not lazy, or grab the first occurance.

P stands for pull the value and name it orderid.

<orderid> sets field name for the extracted value, in this case we're going to call it orderid.

\d+ means one or more digit. So, what we have so far is, grab one or more digits after 11= as value for the field orderid.

\D means not a digit. So, it says stop grabbing digits for the value when a non-digit is encountered.

View solution in original post

Super Champion

Try

yoursearch |rex ".*[1][1]=(?P<orderID>\d+)\D"

This should create a field from _raw named orderID.

Explaination:

rex used without a field= will extract from _raw

The expression needs to be enclosed in quotes.

.* means any sequence of characters or symbols.

[1][1] means exactly the number 11

= is not a regular expression, so it is not escaped and means exactly the symbol =.

(?P<orderid>\d+) is the capture group.

? means not lazy, or grab the first occurance.

P stands for pull the value and name it orderid.

<orderid> sets field name for the extracted value, in this case we're going to call it orderid.

\d+ means one or more digit. So, what we have so far is, grab one or more digits after 11= as value for the field orderid.

\D means not a digit. So, it says stop grabbing digits for the value when a non-digit is encountered.

View solution in original post

Path Finder

THAT WORKED! Thanks so much you are awesome! Also, I greatly appreciate you taking the time to provide explanation, this is all very helpful to a Splunk noob like myslef!

0 Karma

Super Champion

Some how an error was introduced from the original formula. It is missing slashes and should be:
search ErrorMessage | rex ".*[1][1]=(?P<orderid>\d+)\D" | table orderid

Path Finder

I feel like I am just missing something simple, can you break down this part ".*[1][1]=(?Pd+)D" and tell me exactly what each part is doing? I have a general understanding but maybe your explanation might clear things up for me!

Thanks again!

0 Karma

Path Finder

still no luck, but I am working on it, thanks for your help!

0 Karma

Super Champion

Try:
search ErrorMessage | rex ".*[1][1]=(?P<orderid>d+)D" | table orderid

Super Champion

Your problem might be a case issue. orderid does not equal OrderID Fields are case sensitive.
I've retested and it works fine for me...

Path Finder

this is piece of the raw output where the 11= shows, and no other 11= are in here

\x150=ABCD\x1128=ABCD\x11=73563269\x155=ABCD\x154=1

0 Karma

Super Champion

Is the 11= showing up anywhere else?
Can you post a the `_raw' output from one of the events?

Path Finder

thaks so much for your help, any other thoughts on why its not working for me? Again, this is my query: search ErrorMessage | rex ".*[1][1]=(?Pd+)D" | table OrderID

but the OrderID field is just showing as blank...

0 Karma

Path Finder

hmm, I tried again with updated code and still doesnt seem to pull the number, still just seeing an empty OrderID field. I am fairly new to using splunk, so it's probably user error, but I just tried with: search ErrorMessage | rex ".*[1][1]=(?P\d+)\D" | table OrderID

0 Karma

Super Champion

I updated the code so it specifically looks for "11=" and grabs the value after that. It will stop grabbing numbers when it hits a non-digit, and it assumes there are no spaces between the = and the value you're after.

Path Finder

doesnt seem to work, it is creating a new field called OrderID, but it is coming up empty! 😞

This is my search: search ErrorMessage | rex ".*\d\d=(?P\d+)\D" | table OrderID

0 Karma

Super Champion

The above code should do it. It grabs the value after the = and puts it in a new field called orderID.

Path Finder

thanks, I am ok on the understanding of creating a new field, what I am having trouble with is taking the 11=123465 and then just returning 123456 in that OrderID field.

0 Karma

Path Finder

sorry! ok the xxxx's are just to represent the random text that may precede or follow the 11= value. yes the value is always preceded by 11=. For the sake of simplicity and my understanding lets just say it is always a number. This text is just being pulled from the _raw field.

Thanks!

0 Karma

Builder

Hi,

I'm not sure what you wan't

If you wan't a field OrderID with a value "11=123456"
I would make something like
| rex "(?P\d*\=\d*)"

I you need a field 11, that has a value 123456, I don't know

Path Finder

sorry! to clarify, I would like to find the "11=123456" and then just return the 123456 in the OrderID field. The 123456 is just for example, this could be any random number following the "11="

Thanks!

0 Karma

Super Champion

Are the xxx's for real? Is the value always preceded by 11=? Is the value always a number? What is the name of the field that contains the random string of text?