Splunk Search
Highlighted

What is the regular expression to extract "a1234567" from my event?

Path Finder

Please help me with regular expression
i want to extract a1234567

"INDV=1234566|RSPAR|a1234567|RSPAR"
0 Karma
Highlighted

Re: What is the regular expression to extract "a1234567" from my event?

Legend

hi sravankaripe,
you can use it on row events

\d+\|\w+\|(?<your_field>[^\|]*)

or using a rex command

| rex field=INDV "\d+\|\w+\|(?<your_field>[^\|]*)"

You can see it at https://regex101.com/r/Ve484u/1

Bye.
Giuseppe

View solution in original post

0 Karma
Highlighted

Re: What is the regular expression to extract "a1234567" from my event?

Path Finder

| rex field=_raw "\d+|\w+|(?[^|]*)"
this worked for me Thanks

0 Karma
Highlighted

Re: What is the regular expression to extract "a1234567" from my event?

Influencer

I would consider using the split and mvindex commands for this, assuming INDV is being extracted already:

... | eval my_field=mvindex(split(INDV,"|"),2)

With regex:

... | rex field=INDV "RSPAR\|(?[^|]+)"

But that really depends on the consistency of the data around your target extraction.

0 Karma