Solved: Re: Rex to Extract Specific Word

IRHM73 · ‎12-28-2017

Hi, I wonder whether someone maybe able to help me please.

I'm using the following rex to extract the word ID from a text string, which can be written in many permutations, e.g. ID, Id, id.

| rex field=text "/^|[^a-zA-Z](?<a>(?i)id)[^a-zA-Z]|$"

Could someone tell me please, is there a simpler way to write this?

Many thanks and kind regards

Chris

493669 · ‎12-29-2017

Thanks for sample data.

 | rex field=text "\b(?i)(?id)\b"

here \b matches any position that lies at boundary of word "id"
(?i) --> case insensitive match

View solution in original post

micahkemp · ‎12-29-2017

| rex field=text (?<!\w)(?i)(?<a>id)(?!\w)

That looks for the term id not surrounded by other word characters.

493669 · ‎12-29-2017

Thanks for sample data.

 | rex field=text "\b(?i)(?id)\b"

here \b matches any position that lies at boundary of word "id"
(?i) --> case insensitive match

IRHM73 · ‎01-01-2018

Hi @493669, as per the solution from @wenthold, this works great and thank you for the explanation.

If you change this to an answer I can accept it.

Kind Regards

Chris

wenthold · ‎12-29-2017

Try

| rex field=text "\b(?i)(?<a>id)\b"

IRHM73 · ‎01-01-2018

Hi @wenthold, this works great, thank you very much for taking the time to put this together.

Many thanks and kind regards

Chris

niketn · ‎12-29-2017

Can you add some sample data?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

493669 · ‎12-29-2017

 | rex field=text "\s(?i)(?<a>id)\s"

it will match word ID(case insensitive) from a text string

IRHM73 · ‎12-29-2017

Hi @493669, thank you for this.

It certainly extracts the correct words in the different formats, but unfortunately if there is a succeeding special character such a s a . or ) it doesn't extract the word.

Many thanks and kind regards

Chris

493669 · ‎12-29-2017

Can you try below

| rex field=text "\s(?i)(?<a>id)."

IRHM73 · ‎12-29-2017

Hi, thank you for coming back to me with this.

I'm sorry this has a similar issue in that it extracts id from the word "identity".

Many thanks and kind regards

Chris

IRHM73 · ‎12-29-2017

If it helps, here is sample data where id should not be extracted:

The first part of registration was
straight forward but I have been left
confused as to if the process was
completed or not ? when I tried to
continue the system did not recognise
my identity ?

Regards

Chris

DalJeanis · ‎12-28-2017

This will place any single combination of ( ID, iD, Id, or id) that is found in field text into field a, if that is what you want.

 | rex field=text "(?i)(?<a>id)"

IRHM73 · ‎12-28-2017

Hi, thank you for this @DalJeanis, but unfortunately it doesn't quite work because it extracts the id from words such as "said".

Many thanks and kind regards

Chris

Rex to Extract Specific Word

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Rex to Extract Specific Word

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?