Hi, I am looking for some help regarding Splunk Regular Expression. I have a data something like this in a field "field1" -
\P1 S+ box 5.00 Dol\BUNDLE_1 0.00 Dol\ P2 Not applicable 15.00 Dol\ DISCOUNT\ D1 -12.50 Dol\T1_EXISTING 0.00 Dol\ T2_EXISTING\ D2 Fibre 41.75 Dol\ T3_EXISTING\ P3 Mix 26.66 Dol\ T4_EXISTING\ P4 Weekends 0.00 Dol\P5 Vgg box 5.00 Dol\DISC* -15.81 Dol \P6* -5.00 Dol \P7* Phone line 19.00 Dol \P8* C&C 0.00 Dol \TI_PENT* 0.00 Dol \P9* -11.00 Dol \P10* Bundle2 -18.60 Dol \P11* Extra Fee 0.00 Dol.
If you observe, there is a product "P1", it's description "S+ box" and Price "5.00 Dol" and like these there are multiple separated by "\".
I want to extract these products with their prices so that I can see each product and their associated
prices.
Basically, I am looking for if any product has got NULL price.
Let me know if someone can help.
Check this updated one.. using @imthesplunker 's rex for Price... (Please upvote comments and answers)
| makeresults
| eval _raw = "\P1 S+ box 5.00 Dol\BUNDLE_1 0.00 Dol\ P2 Not applicable 15.00 Dol\ DISCOUNT\ D1 -12.50 Dol\T1_EXISTING 0.00 Dol\ T2_EXISTING\ D2 Fibre 41.75 Dol\ T3_EXISTING\ P3 Mix 26.66 Dol\ T4_EXISTING\ P4 Weekends 0.00 Dol\P5 Vgg box 5.00 Dol\DISC* -15.81 Dol \P6* -5.00 Dol \P7* Phone line 19.00 Dol \P8* C&C 0.00 Dol \TI_PENT* 0.00 Dol \P9* -11.00 Dol \P10* Bundle2 -18.60 Dol \P11* Extra Fee 0.00 Dol."
| rex field=_raw max_match=0 "\\s?(?<Product>P\d+\D?)\s"
| rex field=_raw max_match=0 "P\d+\*?\s?(\w+\S?\s?\w+\s)?(?<Price>\-?\d+.\d+\s)Dol"
| table Product Price _raw
Check this updated one.. using @imthesplunker 's rex for Price... (Please upvote comments and answers)
| makeresults
| eval _raw = "\P1 S+ box 5.00 Dol\BUNDLE_1 0.00 Dol\ P2 Not applicable 15.00 Dol\ DISCOUNT\ D1 -12.50 Dol\T1_EXISTING 0.00 Dol\ T2_EXISTING\ D2 Fibre 41.75 Dol\ T3_EXISTING\ P3 Mix 26.66 Dol\ T4_EXISTING\ P4 Weekends 0.00 Dol\P5 Vgg box 5.00 Dol\DISC* -15.81 Dol \P6* -5.00 Dol \P7* Phone line 19.00 Dol \P8* C&C 0.00 Dol \TI_PENT* 0.00 Dol \P9* -11.00 Dol \P10* Bundle2 -18.60 Dol \P11* Extra Fee 0.00 Dol."
| rex field=_raw max_match=0 "\\s?(?<Product>P\d+\D?)\s"
| rex field=_raw max_match=0 "P\d+\*?\s?(\w+\S?\s?\w+\s)?(?<Price>\-?\d+.\d+\s)Dol"
| table Product Price _raw
Thank you. After some minor modification that worked smoothly. Many thanks for the help. 🙂
Try this.
| makeresults
| eval _raw = "\P1 S+ box 5.00 Dol\BUNDLE_1 0.00 Dol\ P2 Not applicable 15.00 Dol\ DISCOUNT\ D1 -12.50 Dol\T1_EXISTING 0.00 Dol\ T2_EXISTING\ D2 Fibre 41.75 Dol\ T3_EXISTING\ P3 Mix 26.66 Dol\ T4_EXISTING\ P4 Weekends 0.00 Dol\P5 Vgg box 5.00 Dol\DISC* -15.81 Dol \P6* -5.00 Dol \P7* Phone line 19.00 Dol \P8* C&C 0.00 Dol \TI_PENT* 0.00 Dol \P9* -11.00 Dol \P10* Bundle2 -18.60 Dol \P11* Extra Fee 0.00 Dol."
| rex field=_raw max_match=0 "\\s?(?<Product>P\d+)\*?\s"
| rex field=_raw max_match=0 "P\d+\*?\s?(\w+\S?\s?\w+\s)?(?<Price>\-?\d+.\d+\s)Dol"
| rex field=_raw max_match=0 "P\d+\*?\s?(?<Desc>\w+\S?\s?\w+)\s"
|table Product Price
Hope this helps!
If Product doesn't have negative values , the regex is | rex field=_raw max_match=0 "P\d+\*?\s?(\w+\S?\s?\w+\s)?\-?(?<Price>\d+.\d+\s)Dol"
Looking at the first product, we can do something like that to extract the two sets -
\\P1(?<name1>.*)(?<price1>\d.\d\d) Dol\\(?<name2>.*)(?<price2>\d.\d\d) Dol\\ P2
So, in your example, which product should the regex match?
I actually need for each product. I want to see if any product has Null price in it. So basically these items u consider as in customer basket so before we proceed for order placing we want to know if there is anything which does not have any price associated with it?