Solved: Regular expression in Datamodel attribute

snemiro_514 · ‎12-11-2014

Hi splunkers,

I need to create a new attribute in one datamodel. I think I don't understand the syntax or what's going on.

The field tranID contains two letters and a number (FR82734, WR293482) . I need a new field auxTranID containing only the number portion...so this is what I did:

In the search box:

| datamodel DATATEST TRAN search | rex field="TRAN.tranID" (? New FIELD NAME BETWEEN ANGLE BRACKETS \d+)"

Then I have a new field auxTranID with the proper numeric value.

If I go to the add attribute feature in the datamodel definition and I add a rex expression selecting the field tranID and writting "(? New FIELD NAME BETWEEN ANGLE BRACKETS \d+)" in the regex field, I don't see the new field in the object.

What am I doing wrong?

Thanks!

snemiro_514 · ‎12-11-2014

Wow.

I've removed the quotes and it started working.

View solution in original post

snemiro_514 · ‎12-11-2014

Wow.

I've removed the quotes and it started working.

Regular expression in Datamodel attribute

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Regular expression in Datamodel attribute

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR