Splunk Search

Need help with RegEx

omuelle1
Communicator

Hi,

I am trying to extract a field in Splunk but the field extraction doesn't work and throws this error

"The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings."

Therefore I am trying to write the regex myself but I am not really good at regex, so I would you guys help.

I want to skip the first two number in this string and extract the upcoming 6:

0035373112473B    CC002017020809521700000001r200000432                                                                                            SYSTEM      201702081437521  

So in this case I want my Field to contain 353731.

This is my current regex but I don't know how I can get it to skip the first two numbers.

(?<ITEM>\s*\s*K\^[0-9][0-9][0-9][0-9][0-9][0-9])

Thank you,

Oliver

Tags (1)
0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

Based on your event in the above:

^\d{2}(?<mystring>\d{6})\w+

That looks at the beginning of the line, skips the first 2 digits, and captures the next 6 digits.

Check out this website : https://regex101.com/r/awrCuI/1

View solution in original post

omuelle1
Communicator

Thank you guys!!

0 Karma

omuelle1
Communicator

Thank you guys, I will need to improve my regex skills since the Field Extractor barely works.

How would I modify the regex if there is white space after the 6 digits?

Like it doesn't match for this case:

00012220          *O082017020900024800000000q0025047000011000000009000000009000000001000000000000000000
0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You can just use this..

 ^\w{2}(?<mystring>\d{6})

Here the \w denotes a word space, so all letters upper and lower, numbers, and spaces.. So this will catch events that start with numbers, letters, or spaces x 2

0 Karma

omuelle1
Communicator

Both worked for me, thank you guys!

0 Karma

omuelle1
Communicator

Could you guys also help to me how get the *O (It can be any 2 characters) but always at that same position. I tried the same thing you guys told me, but the skipping doesn't work, I assume because there is space in between.

00012220         *O082017020900024800000000q0025047000011000000009000000009000000001000000000000000000
0 Karma

hgrow
Communicator

^\w+\s+(?<field>.{2})might do it?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You can try this...

(\s+|\w+)(?<digits>\d{7})\s+(?<next>\*\w)\w+

This assumes the Patter is also **O*, that is asterisks + Letter.

0 Karma

hgrow
Communicator

You should just be able to leave out esixs \w+ if im correct 🙂

In your case it should not matter what is coming after the first 6 digits --whitespaces or some characters since you will always want the digits right after the beginning of the line.

^\d{2}(?<mystring>\d{6})

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Based on your event in the above:

^\d{2}(?<mystring>\d{6})\w+

That looks at the beginning of the line, skips the first 2 digits, and captures the next 6 digits.

Check out this website : https://regex101.com/r/awrCuI/1

hgrow
Communicator

Hi there,

if your capturing group is already matching, you can just pull the first two digets (\d{2}) out of the capturing group.

just execute this as an example: | makeresults | eval test="0035373112473B" | rex field=test "\d{2}(?<ITEM>\d{6})"

Greetings

Edited the regex 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...