Solved: Rex to Extract Specific Word

IRHM73 · ‎12-28-2017

Hi, I wonder whether someone maybe able to help me please.

I'm using the following rex to extract the word ID from a text string, which can be written in many permutations, e.g. ID, Id, id.

| rex field=text "/^|[^a-zA-Z](?<a>(?i)id)[^a-zA-Z]|$"

Could someone tell me please, is there a simpler way to write this?

Many thanks and kind regards

Chris

493669 · ‎12-29-2017

Thanks for sample data.

 | rex field=text "\b(?i)(?id)\b"

here \b matches any position that lies at boundary of word "id"
(?i) --> case insensitive match

View solution in original post

micahkemp · ‎12-29-2017

| rex field=text (?<!\w)(?i)(?<a>id)(?!\w)

That looks for the term id not surrounded by other word characters.

493669 · ‎12-29-2017

Thanks for sample data.

 | rex field=text "\b(?i)(?id)\b"

here \b matches any position that lies at boundary of word "id"
(?i) --> case insensitive match

IRHM73 · ‎01-01-2018

Hi @493669, as per the solution from @wenthold, this works great and thank you for the explanation.

If you change this to an answer I can accept it.

Kind Regards

Chris

wenthold · ‎12-29-2017

Try

| rex field=text "\b(?i)(?<a>id)\b"

IRHM73 · ‎01-01-2018

Hi @wenthold, this works great, thank you very much for taking the time to put this together.

Many thanks and kind regards

Chris

niketn · ‎12-29-2017

Can you add some sample data?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

493669 · ‎12-29-2017

 | rex field=text "\s(?i)(?<a>id)\s"

it will match word ID(case insensitive) from a text string

IRHM73 · ‎12-29-2017

Hi @493669, thank you for this.

It certainly extracts the correct words in the different formats, but unfortunately if there is a succeeding special character such a s a . or ) it doesn't extract the word.

Many thanks and kind regards

Chris

493669 · ‎12-29-2017

Can you try below

| rex field=text "\s(?i)(?<a>id)."

IRHM73 · ‎12-29-2017

Hi, thank you for coming back to me with this.

I'm sorry this has a similar issue in that it extracts id from the word "identity".

Many thanks and kind regards

Chris

IRHM73 · ‎12-29-2017

If it helps, here is sample data where id should not be extracted:

The first part of registration was
straight forward but I have been left
confused as to if the process was
completed or not ? when I tried to
continue the system did not recognise
my identity ?

Regards

Chris

DalJeanis · ‎12-28-2017

This will place any single combination of ( ID, iD, Id, or id) that is found in field text into field a, if that is what you want.

 | rex field=text "(?i)(?<a>id)"

IRHM73 · ‎12-28-2017

Hi, thank you for this @DalJeanis, but unfortunately it doesn't quite work because it extracts the id from words such as "said".

Many thanks and kind regards

Chris

Rex to Extract Specific Word

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!