Solved: Rex 16 digit account number that always starts wit...

kmccowen · ‎06-22-2015

I using the below REX but i'm getting unwanted values for another field that is not related to account number.

REX: -\s(?<acct>\d{16})

Example Log:

[2015-06-21T23:59:53.882-05:00] [gw_server6] [NOTIFICATION] [] [com.charter.customer.care.view.backing.banner.BannerFlowBean] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: cbrewster] [ecid: 8e4ec398-841d-45ad-9eb6-dec27a6d5b42-0004b72b,0] [APP: chtrgwy] 2015-06-21 23:59:53.882 - CTIPOP CALL RECEIVED - FGS - 8246100013000800- 8178750270 - 558795aa00000000ac10edf823300002

My extraction is pulling in a value of 5586441100000000 in some cases but in most cases i'm getting what I want which would be 8246100013000800

Valid account numbers should always start with the number "8" is there a way to add that logic into my existing Extraction for my Account number field?

MuS · ‎06-22-2015

Hi kmccowen,

try something like this:

your base search here | rex field=_raw "-\s(?<acct>\d{16})\s-" | table acct

This will capture only 16 digits until the next - is found.

Hope this helps...

cheers, MuS

View solution in original post

MuS · ‎06-22-2015

Hi kmccowen,

try something like this:

your base search here | rex field=_raw "-\s(?<acct>\d{16})\s-" | table acct

This will capture only 16 digits until the next - is found.

Hope this helps...

cheers, MuS

kmccowen · ‎06-23-2015

need to add a white space "/s" prior to the final dash

MuS · ‎06-23-2015

thanks for the hint 😉

kmccowen · ‎06-23-2015

Final regex:

your base search here  | rex field=_raw "-\s(?<acct>\d{16})\s-"

kmccowen · ‎06-23-2015

I just needed to add one blank white space prior to the last "dash" and this fixed the extraction!
Thanks MuS!

Rex 16 digit account number that always starts with 8

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk