Hi all, I am new to splunk. I am trying to extract a field from a line in a record where the field will always begin with a 2 letter state code followed by 8 additional charaters. The record also contains a two letter state field I would like to use as a variable for the extraction search, since the state will vary from record to record. Also the position of this field to be extracted will vary from record to record. I have played with multiple variations of REX and REGEX with EVAL and havent found the answer for reading a variable into the expression, or allowing the extraction position to vary across different records.
Any help would be greatly appreciated.
If the location of the state varies within the comments field and the format is consistent with your example, then this should find it.
\s+(?<state>[A-Z]{2}[0-9]{8})\s+
If the location of the state varies within the comments field and the format is consistent with your example, then this should find it.
\s+(?<state>[A-Z]{2}[0-9]{8})\s+
Please accept the answer to help future readers.
Thanks all. Changed the field to _raw and it works great
Sorry for not seeing your answer when I updated mine 🙂
Yes, the location of CA12345678 will vary within the comments field
Try this
(?P<State>[A-Z]{2}[0-9]{8})\s+
Will the location of CA12345678 also be changing? If not try this "\,\w+\s+\w+\s+(?P
Here is an example of what a comments field looks like. The CA12345678 is what I need to extract. The state can vary, as can the location of the data needed with the comments.
FT JOE BB72649 BBB 9998372615 FT REQ ASST W/ACT ANYTHING VALID ABC,CURRENT WORDS CA12345678 NOT ALLOWING NEW BOGUS PHRASES TO GO THROUGH.ADVSD FT.FOO USELESS
Please provide some sample events (data). At least the comments
field.
Hi. Sure. Here is the most recent example I have been working with.
sourcetype=file earliest=-1d@d latest=now |eval temp=STATE | rex field=comments "(?
If I remove $temp$ and use [NY] for example, I get some valid responses, but it doesn't seem to be handling the varying start position of the data in the record.
could you please provide some samples?