Solved: Re: Regular expression in Datamodel attribute

snemiro_514 · ‎12-11-2014

Hi splunkers,

I need to create a new attribute in one datamodel. I think I don't understand the syntax or what's going on.

The field tranID contains two letters and a number (FR82734, WR293482) . I need a new field auxTranID containing only the number portion...so this is what I did:

In the search box:

| datamodel DATATEST TRAN search | rex field="TRAN.tranID" (? New FIELD NAME BETWEEN ANGLE BRACKETS \d+)"

Then I have a new field auxTranID with the proper numeric value.

If I go to the add attribute feature in the datamodel definition and I add a rex expression selecting the field tranID and writting "(? New FIELD NAME BETWEEN ANGLE BRACKETS \d+)" in the regex field, I don't see the new field in the object.

What am I doing wrong?

Thanks!

snemiro_514 · ‎12-11-2014

Wow.

I've removed the quotes and it started working.

View solution in original post

snemiro_514 · ‎12-11-2014

Wow.

I've removed the quotes and it started working.

Regular expression in Datamodel attribute

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Regular expression in Datamodel attribute

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem