Splunk Search
Highlighted

Rex 16 digit account number that always starts with 8

Path Finder

I using the below REX but i'm getting unwanted values for another field that is not related to account number.

REX: -\s(?<acct>\d{16})

Example Log:

[2015-06-21T23:59:53.882-05:00] [gw_server6] [NOTIFICATION] [] [com.charter.customer.care.view.backing.banner.BannerFlowBean] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: cbrewster] [ecid: 8e4ec398-841d-45ad-9eb6-dec27a6d5b42-0004b72b,0] [APP: chtrgwy] 2015-06-21 23:59:53.882 - CTIPOP CALL RECEIVED - FGS - 8246100013000800- 8178750270 - 558795aa00000000ac10edf823300002

My extraction is pulling in a value of 5586441100000000 in some cases but in most cases i'm getting what I want which would be 8246100013000800

Valid account numbers should always start with the number "8" is there a way to add that logic into my existing Extraction for my Account number field?

Tags (2)
0 Karma
Highlighted

Re: Rex 16 digit account number that always starts with 8

SplunkTrust
SplunkTrust

Hi kmccowen,

try something like this:

your base search here | rex field=_raw "-\s(?<acct>\d{16})\s-" | table acct

This will capture only 16 digits until the next - is found.

Hope this helps...

cheers, MuS

View solution in original post

Highlighted

Re: Rex 16 digit account number that always starts with 8

Path Finder

I just needed to add one blank white space prior to the last "dash" and this fixed the extraction!
Thanks MuS!

0 Karma
Highlighted

Re: Rex 16 digit account number that always starts with 8

Path Finder

Final regex:

your base search here  | rex field=_raw "-\s(?<acct>\d{16})\s-"
0 Karma
Highlighted

Re: Rex 16 digit account number that always starts with 8

Path Finder

need to add a white space "/s" prior to the final dash

Highlighted

Re: Rex 16 digit account number that always starts with 8

SplunkTrust
SplunkTrust

thanks for the hint 😉

0 Karma