Hi,
I have following values in field - DATA for which I want to extract text from start till the first set of number.
ABCD_EFG_HIJ_9998_LNM_HASJ_kasldj_a781-4413-7708
ABCD_EFG_4039_DATA_LOST_SAMPLE
FG_GG_1386_NUM125679_HR_1111_GHH_KSN_JASKK
ABCD_EFG_4039_DATA_7837_LOST_SAMPLE
XYZ_1920_MM_KK_LL_DATAFORMAT_SAMPLE
What I want is to extract till first set of number, wherever it occurs, i.e.
ABCD_EFG_HIJ_9998
ABCD_EFG_4039
FG_GG_1386
ABCD_EFG_4039
XYZ_1920
Following rex I have tried : rex field=DATA "(?<EXTRACTED_DATA>.*\d{4})\_"
, also the Splunk provided field extraction but no luck.
Hi,
If I understand correctly, you just want to extract everything from start until the first set of numbers, but include that set of numbers in your token right?
In that case, this is the regex I would use:
^(?<EXTRACTED_DATA>\D+\d+)
Example:
| makeresults
| eval DATA = "ABCD_EFG_HIJ_9998_LNM_HASJ_kasldj_a781-4413-7708"
| rex field=DATA "^(?<EXTRACTED_DATA>\D+\d+)"
Output (see picture below):
Thanks,
J
Hi,
If I understand correctly, you just want to extract everything from start until the first set of numbers, but include that set of numbers in your token right?
In that case, this is the regex I would use:
^(?<EXTRACTED_DATA>\D+\d+)
Example:
| makeresults
| eval DATA = "ABCD_EFG_HIJ_9998_LNM_HASJ_kasldj_a781-4413-7708"
| rex field=DATA "^(?<EXTRACTED_DATA>\D+\d+)"
Output (see picture below):
Thanks,
J
Thanks, this work for me.
Yes, I wanted the extraction to include first set of number.
Hi harshal_chakranarayan,
try this regex
| rex "^(?<my_field>[^0-9]*)"
you can test it at https://regex101.com/r/mkbCMt/1
Bye.
Giuseppe
Thanks for the answer, but I want the extraction including the first set of number