Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regular Expression extract beginning and end of string- What am I missing?

rhenry
Explorer
‎03-03-2022 06:48 AM

Hello,

I have a situation where I am trying to pull from within a field the nomenclature of ABC-1234-56-7890 but want to be able to only pull the first three letters and the last four numbers into one field. I have the following query below thus far but have not figured out how to do as described above:

| rex field=comment (?<ABC>ABC\-\d+\-\d+\-\d+)

I want the return of "ABC-7890"

What am I missing so that I can successfully pull both beginning and end of the above described string? Thanks!

Labels (4)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-03-2022 09:31 PM
  • I can't help but noticing that your initial regex contains hard-coded leading string "ABC".  This implies that the first group of letters is fixed.  If this is the case, you can focus on the end of string, then compose with the known group, like this:

 

| rex field=comment "\bABC-\S+-(?<ABC>\d+)"
| eval ABC="ABC-" . ABC

 

  • Another way is to use sed mode to strip whatever you don't need.  This example assumes that leading string is unknown.

 

| rex field=comment mode=sed "s/.*?(\w+)\S+-(\d+).*/\1-\2/"​

 

(If you cannot sacrifice original content of comment, you can first copy it into a different field name such as ABC, then apply rex to that field.)

  • Alternatively, you can apply sed or replace to the ABC field you initially extracted.  This example uses replace.

 

| rex field=comment (?<ABC>ABC\-\d+\-\d+\-\d+)
| eval ABC=replace(ABC, "ABC-\d+-\d+-", "ABC-")​

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-03-2022 07:04 AM

Unfortunately, with PCRE you don't have a "ignore this part" group. (I would also welcome that)

You can however capture the beginning and end into separate fields and then create a calculated field combining them together,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-03-2022 07:03 AM

Hi @rhenry,

you could use a regex and an eval:

 

your_search
| rex "^(?<my_field_1>\w\w\w).*(?<myfield_2>\d\d\d\d)"
| eval my_field=my-field-1."-".my_field_2

 

you can test the regex at https://regex101.com/r/S7tXqS/1

Ciao.

Giuseppe

0 Karma
Reply

rhenry
Explorer
‎03-03-2022 07:15 AM

Hey this string does what I am looking for. However, it looks like it only works if ABC-1234-56-7890 is the only string in the field. What if there is additional words before and after? Like for example:

"This the location for ABC-1234-56-7890 at this point."

Is there a way to extract just that string highlighted above and again only beginning and end? Thanks!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-03-2022 07:39 AM

Hi, please try this:

your_search
| rex "(?<my_field_1>\w\w\w)\S*(?<myfield_2>\d\d\d\d)"
| eval my_field=my-field-1."-".my_field_2

that you can test at https://regex101.com/r/S7tXqS/2

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...