Splunk Search
Highlighted

Rex - Extract till first set of numbers

Hi,
I have following values in field - DATA for which I want to extract text from start till the first set of number.

ABCDEFGHIJ9998LNMHASJkasldja781-4413-7708
ABCD
EFG4039DATALOSTSAMPLE
FGGG1386NUM125679HR1111GHHKSNJASKK
ABCDEFG4039DATA7837LOSTSAMPLE
XYZ1920MMKKLLDATAFORMATSAMPLE

What I want is to extract till first set of number, wherever it occurs, i.e.
ABCDEFGHIJ9998
ABCD
EFG4039
FG
GG1386
ABCD
EFG4039
XYZ
1920

Following rex I have tried : rex field=DATA "(?<EXTRACTED_DATA>.*\d{4})\_" , also the Splunk provided field extraction but no luck.

0 Karma
Highlighted

Re: Rex - Extract till first set of numbers

Legend

Hi harshal_chakranarayan,
try this regex

| rex "^(?<my_field>[^0-9]*)"

you can test it at https://regex101.com/r/mkbCMt/1

Bye.
Giuseppe

0 Karma
Highlighted

Re: Rex - Extract till first set of numbers

Thanks for the answer, but I want the extraction including the first set of number

0 Karma
Highlighted

Re: Rex - Extract till first set of numbers

SplunkTrust
SplunkTrust

Hi,

If I understand correctly, you just want to extract everything from start until the first set of numbers, but include that set of numbers in your token right?

In that case, this is the regex I would use:

^(?<EXTRACTED_DATA>\D+\d+)

Example:

| makeresults
| eval DATA = "ABCD_EFG_HIJ_9998_LNM_HASJ_kasldj_a781-4413-7708"
| rex field=DATA "^(?<EXTRACTED_DATA>\D+\d+)"

Output (see picture below):

alt text

Thanks,
J

View solution in original post

Highlighted

Re: Rex - Extract till first set of numbers

Thanks, this work for me.
Yes, I wanted the extraction to include first set of number.

0 Karma