Solved: Re: Need help with RegEx

omuelle1 · ‎02-10-2017

Hi,

I am trying to extract a field in Splunk but the field extraction doesn't work and throws this error

"The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings."

Therefore I am trying to write the regex myself but I am not really good at regex, so I would you guys help.

I want to skip the first two number in this string and extract the upcoming 6:

0035373112473B    CC002017020809521700000001r200000432                                                                                            SYSTEM      201702081437521

So in this case I want my Field to contain 353731.

This is my current regex but I don't know how I can get it to skip the first two numbers.

(?<ITEM>\s*\s*K\^[0-9][0-9][0-9][0-9][0-9][0-9])

Thank you,

Oliver

esix_splunk · ‎02-10-2017

Based on your event in the above:

^\d{2}(?<mystring>\d{6})\w+

That looks at the beginning of the line, skips the first 2 digits, and captures the next 6 digits.

Check out this website : https://regex101.com/r/awrCuI/1

View solution in original post

omuelle1 · ‎02-10-2017

Thank you guys!!

omuelle1 · ‎02-10-2017

Thank you guys, I will need to improve my regex skills since the Field Extractor barely works.

How would I modify the regex if there is white space after the 6 digits?

Like it doesn't match for this case:

00012220          *O082017020900024800000000q0025047000011000000009000000009000000001000000000000000000

esix_splunk · ‎02-10-2017

You can just use this..

 ^\w{2}(?<mystring>\d{6})

Here the \w denotes a word space, so all letters upper and lower, numbers, and spaces.. So this will catch events that start with numbers, letters, or spaces x 2

omuelle1 · ‎02-13-2017

Both worked for me, thank you guys!

omuelle1 · ‎02-10-2017

Could you guys also help to me how get the *O (It can be any 2 characters) but always at that same position. I tried the same thing you guys told me, but the skipping doesn't work, I assume because there is space in between.

00012220         *O082017020900024800000000q0025047000011000000009000000009000000001000000000000000000

hgrow · ‎02-12-2017

^\w+\s+(?<field>.{2})might do it?

esix_splunk · ‎02-13-2017

You can try this...

(\s+|\w+)(?<digits>\d{7})\s+(?<next>\*\w)\w+

This assumes the Patter is also **O*, that is asterisks + Letter.

hgrow · ‎02-10-2017

You should just be able to leave out esixs \w+ if im correct 🙂

In your case it should not matter what is coming after the first 6 digits --whitespaces or some characters since you will always want the digits right after the beginning of the line.

^\d{2}(?<mystring>\d{6})

esix_splunk · ‎02-10-2017

Based on your event in the above:

^\d{2}(?<mystring>\d{6})\w+

That looks at the beginning of the line, skips the first 2 digits, and captures the next 6 digits.

Check out this website : https://regex101.com/r/awrCuI/1

hgrow · ‎02-10-2017

Hi there,

if your capturing group is already matching, you can just pull the first two digets (\d{2}) out of the capturing group.

just execute this as an example: | makeresults | eval test="0035373112473B" | rex field=test "\d{2}(?<ITEM>\d{6})"

Greetings

Edited the regex 🙂

Need help with RegEx

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor