Solved: how to use the rex command to extract data when we...

s0m073r · ‎02-06-2020

Hi have a scenario, where I would like to extract the field OfferCode which has space after and before the code:

OfferCode : XYZAQERWSD

Please help with rex command to extract this field OfferCode

codebuilder · ‎02-07-2020

An easier way honestly is to use "erex", which is a hidden gem.

Pipe your search to this:

| erex offercode examples="XYZAQERWSD"

Wait for the search to complete, then look at the job inspector. At the top it will provide the regex necessary to find the value you are looking for. Example: alt text

You can also use "counterexamples" to exclude results.

https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Erex

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

codebuilder · ‎02-07-2020

An easier way honestly is to use "erex", which is a hidden gem.

Pipe your search to this:

| erex offercode examples="XYZAQERWSD"

Wait for the search to complete, then look at the job inspector. At the top it will provide the regex necessary to find the value you are looking for. Example: alt text

You can also use "counterexamples" to exclude results.

https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Erex

----
An upvote would be appreciated and Accept Solution if it helps!

s0m073r · ‎02-07-2020

thank you, it worked.
thank you all for helping

codebuilder · ‎02-07-2020

Glad to help!

----
An upvote would be appreciated and Accept Solution if it helps!

abhijeet01 · ‎02-07-2020

Hi s0m073r,

Pls try below regex command.

rex field = _raw "\OfferCode\s:\s(?P<OfferCode>[^\s+]+)"

vnravikumar · ‎02-06-2020

Hi

Try this also

| makeresults 
| eval temp="OfferCode : XYZAQERWSD" 
| regex temp="OfferCode\s:" 
| eval result=mvindex(trim(split(temp,":")),-1)

to4kawa · ‎02-06-2020

I agree. but there is unclear field.

s0m073r · ‎02-06-2020

Hi @to4kawa
getting this:
**
Error in 'SearchParser': Missing a search command before '|'. Error at position '84' of search query 'search index=XXXX CheckoutBizException:...{snipped} {errorcontext = OfferId| | rex field}'.**

to4kawa · ‎02-06-2020

@s0m073r

 {errorcontext = OfferId| | rex field

| is double.

to4kawa · ‎02-06-2020

Sample:

| makeresults 
| eval _raw="exce.msg=ServiceException:No valid XXXx for OfferId : ASRDAVS32@#4sdfsf" 
| rex  "OfferId\s:\s(?P<OfferCode>\S+)"

cf. makeresults

| rex "OfferId\s:\s(?P<OfferCode>\S+)"
Hi, @s0m073r
How about this?

If your default _raw contains your sample code , rex works

s0m073r · ‎02-06-2020

@to4kawa
tried with
*rex field=Offers "OfferId\s:\s(?P\S+)" *

But there is no field getting created to view the list, I can see no errors though

to4kawa · ‎02-06-2020

@s0m073r
Does Offers contain "OfferCode : XYZAQERWSD" ?

rex "OfferCode\s:\s(?P<OfferCode>\S+)"
Is that enough?

By the way, what's OfferId ?

s0m073r · ‎02-07-2020

let me give my complete requirement:

exce.msg=ServiceException:No valid XXXx for OfferId : ASRDAVS32@#4sdfsf

can you please now help me getting the extract of the Offerid field alone with the code?

to4kawa · ‎02-07-2020

@s0m073r
I see, my answer is updated. please confirm.

vnravikumar · ‎02-07-2020

Hi

Try this

| makeresults 
| eval temp="exce.msg=ServiceException:No valid XXXx for OfferId : ASRDAVS32@#4sdfsf" 
| rex field=temp "OfferId\s+:\s+(?P<id>[^@#]+)"

s0m073r · ‎02-07-2020

Error in 'makeresults' command: This command must be the first command of a search.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

vnravikumar · ‎02-07-2020

You no need of makeresults command, here i had used to create dummy event. | rex field=temp "OfferId\s+:\s+(?P<id>[^@#]+)" is enough. In that instead of temp you give actual field name.

how to use the rex command to extract data when we have space

cf. makeresults

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...