Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regular expression

Navanitha
Path Finder
‎05-12-2015 04:47 AM

Hi,

Can someone help me in writing the regex for following string

20141128082428PAASSUB 00.?9CDPCI8I USER ACTION TITLE 295211P3055E464 01Q0009000054146746SAHEER SHAIK12
20141202054437PBSALAK 00.94_VCT90U Windows security event logs P43833244199105 02P8758878262824579SAI LAKSMII

I need to extract the last string and name it as user. eg: user=SAHEER SHAIK. Also extract the digit "P43833244" and name it as ID.

Tags (1)
0 Karma
Reply

regexcracker
New Member
‎05-13-2015 04:12 PM

Please try this:

rex field=_raw (?<ID>Pw{8})w*s(?<First>w+)s(?<Last>w+$) | rex field=First w+d(?<First_Name>w+$) | table ID First_Name Last_Name

0 Karma
Reply

gfuente
Motivator
‎05-12-2015 06:27 AM

Hello

Regex for ID:

P(?<ID>\d{8})

Regex for name:

(?<name>[^\d]*)\d*\s*$

Regards

0 Karma
Reply

Navanitha
Path Finder
‎05-12-2015 06:40 AM

Hello,

Regex for name is working. Can you pls explain the expression for me.

And Regex for ID is not working. This is capturing first 8 digits of the string.

Thanks

0 Karma
Reply

gfuente
Motivator
‎05-12-2015 06:48 AM

Updated,

The first regex was missing a P

The regex for the name works this way, goes to the end of the event, leaves out of the capturing group any spaces an numbers, and then captures everything backwards until the first digit is found

Regards

0 Karma
Reply

Navanitha
Path Finder
‎05-12-2015 06:56 AM

Thank you for the explanation. Its clear now.

But ID regex is still not working.

0 Karma
Reply

gfuente
Motivator
‎05-12-2015 07:06 AM

Hello

The regex works for me, only for the second sample event. The first event has also letters, not just digits as you stated it should be:

ID starts with alphabet P followed by 8 digits

This sentence means this regex: P(?<ID>\d{8})

If you want to include also letters, you should give us additional constrains of the surroundind data to make it work for all cases. Maybe you can post additional sample events

0 Karma
Reply

regexcracker
New Member
‎05-13-2015 04:21 PM

Try this:

rex field=_raw (?<ID>P\w{8})\w*\s(?<First>\w+)\s(?<Last>\w+$) | rex field=First \w+\d(?<First_Name>\w+$) | table ID First_Name Last_Name

0 Karma
Reply

ConnorG
Path Finder
‎05-12-2015 06:47 AM

This should do:

(?<ID>P\d{8})

0 Karma
Reply

Navanitha
Path Finder
‎05-12-2015 06:57 AM

this is not working Connor..

0 Karma
Reply

krish3
Contributor
‎05-12-2015 06:10 AM

can you confirm these??

No space between these values and name 01Q0009000054146746SAHEER SHAIK12

Is ID you specified is off alphabet followed by 8 digits out of this P43833244199105

0 Karma
Reply

Navanitha
Path Finder
‎05-12-2015 06:19 AM

There is no space between 01Q0009000054146746SAHEER SHAIK12
ID starts with alphabet P followed by 8 digits

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...