Splunk Search

Rex - Extract till first set of numbers

harshal_chakran
Builder

Hi,
I have following values in field - DATA for which I want to extract text from start till the first set of number.

ABCD_EFG_HIJ_9998_LNM_HASJ_kasldj_a781-4413-7708
ABCD_EFG_4039_DATA_LOST_SAMPLE
FG_GG_1386_NUM125679_HR_1111_GHH_KSN_JASKK
ABCD_EFG_4039_DATA_7837_LOST_SAMPLE
XYZ_1920_MM_KK_LL_DATAFORMAT_SAMPLE

What I want is to extract till first set of number, wherever it occurs, i.e.
ABCD_EFG_HIJ_9998
ABCD_EFG_4039
FG_GG_1386
ABCD_EFG_4039
XYZ_1920

Following rex I have tried : rex field=DATA "(?<EXTRACTED_DATA>.*\d{4})\_" , also the Splunk provided field extraction but no luck.

0 Karma
1 Solution

javiergn
Super Champion

Hi,

If I understand correctly, you just want to extract everything from start until the first set of numbers, but include that set of numbers in your token right?

In that case, this is the regex I would use:

^(?<EXTRACTED_DATA>\D+\d+)

Example:

| makeresults
| eval DATA = "ABCD_EFG_HIJ_9998_LNM_HASJ_kasldj_a781-4413-7708"
| rex field=DATA "^(?<EXTRACTED_DATA>\D+\d+)"

Output (see picture below):

alt text

Thanks,
J

View solution in original post

javiergn
Super Champion

Hi,

If I understand correctly, you just want to extract everything from start until the first set of numbers, but include that set of numbers in your token right?

In that case, this is the regex I would use:

^(?<EXTRACTED_DATA>\D+\d+)

Example:

| makeresults
| eval DATA = "ABCD_EFG_HIJ_9998_LNM_HASJ_kasldj_a781-4413-7708"
| rex field=DATA "^(?<EXTRACTED_DATA>\D+\d+)"

Output (see picture below):

alt text

Thanks,
J

harshal_chakran
Builder

Thanks, this work for me.
Yes, I wanted the extraction to include first set of number.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi harshal_chakranarayan,
try this regex

| rex "^(?<my_field>[^0-9]*)"

you can test it at https://regex101.com/r/mkbCMt/1

Bye.
Giuseppe

0 Karma

harshal_chakran
Builder

Thanks for the answer, but I want the extraction including the first set of number

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...