Solved: Re: Need a regex that extracts a string from event...

Bleepie · ‎09-24-2021

Dear Splunk Community,

I need help extracting a string (CTJT) plus any 6 characters after. CTJT is the start of an error code and always the same, the 6 characters after are different but always 6 charaters. Meaning the full error code is 10 characters like this: CTJTAAB013

The error codes in the events are always on random positions, never fixed!

I need to extract the errorcode and evaluate it in a field:

CTJT*
| table errorcode
| eval errorcode = "I want to fetch the error code here"

I have tried substr but I cant find a method for fetching the first index of CTJT. Can anyone help me create a regex that does the above or maybe some other way?

Thanks in advance

ITWhisperer · ‎09-24-2021

| rex "(?<errorcode>CTJT\w{6})"

View solution in original post

ITWhisperer · ‎09-24-2021

| rex "CTJT(?<errorcode>\w{6})"

Bleepie · ‎09-24-2021

Hello IT Whisper, any idea on why no results are show even though there are 569 statistics show? When clicking on events I can see all events.

Bleepie · ‎09-24-2021

Little edit:

When I include _raw in the table I can see the following:

But its missing CTJT in front of it.

ITWhisperer · ‎09-24-2021

| rex "(?<errorcode>CTJT\w{6})"

Bleepie · ‎09-24-2021

Thanks a lot sensei!

Need a regex that extracts a string from event plus 6 characters after

eval

field extraction

regex

rex

table

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?