Splunk Search

how to use the rex command to extract data when we have space

s0m073r
Engager

Hi have a scenario, where I would like to extract the field OfferCode which has space after and before the code:

OfferCode : XYZAQERWSD

Please help with rex command to extract this field OfferCode

0 Karma
1 Solution

codebuilder
SplunkTrust
SplunkTrust

An easier way honestly is to use "erex", which is a hidden gem.

Pipe your search to this:

| erex offercode examples="XYZAQERWSD"

Wait for the search to complete, then look at the job inspector. At the top it will provide the regex necessary to find the value you are looking for. Example: alt text

You can also use "counterexamples" to exclude results.

https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Erex

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

codebuilder
SplunkTrust
SplunkTrust

An easier way honestly is to use "erex", which is a hidden gem.

Pipe your search to this:

| erex offercode examples="XYZAQERWSD"

Wait for the search to complete, then look at the job inspector. At the top it will provide the regex necessary to find the value you are looking for. Example: alt text

You can also use "counterexamples" to exclude results.

https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Erex

----
An upvote would be appreciated and Accept Solution if it helps!

s0m073r
Engager

thank you, it worked.
thank you all for helping

0 Karma

codebuilder
SplunkTrust
SplunkTrust

Glad to help!

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

abhijeet01
Path Finder

Hi s0m073r,

Pls try below regex command.

rex field = _raw "\OfferCode\s:\s(?P<OfferCode>[^\s+]+)"
0 Karma

vnravikumar
Champion

Hi

Try this also

| makeresults 
| eval temp="OfferCode : XYZAQERWSD" 
| regex temp="OfferCode\s:" 
| eval result=mvindex(trim(split(temp,":")),-1)
0 Karma

to4kawa
Ultra Champion

I agree. but there is unclear field.

0 Karma

s0m073r
Engager

Hi @to4kawa
getting this:
**
Error in 'SearchParser': Missing a search command before '|'. Error at position '84' of search query 'search index=XXXX CheckoutBizException:...{snipped} {errorcontext = OfferId| | rex field}'.**

0 Karma

to4kawa
Ultra Champion

@s0m073r

 {errorcontext = OfferId| | rex field

| is double.

0 Karma

to4kawa
Ultra Champion

Sample:

| makeresults 
| eval _raw="exce.msg=ServiceException:No valid XXXx for OfferId : ASRDAVS32@#4sdfsf" 
| rex  "OfferId\s:\s(?P<OfferCode>\S+)"

cf. makeresults

| rex "OfferId\s:\s(?P<OfferCode>\S+)"
Hi, @s0m073r
How about this?

If your default _raw contains your sample code , rex works

0 Karma

s0m073r
Engager

@to4kawa
tried with
*rex field=Offers "OfferId\s:\s(?P\S+)" *

But there is no field getting created to view the list, I can see no errors though

0 Karma

to4kawa
Ultra Champion

@s0m073r
Does Offers contain "OfferCode : XYZAQERWSD" ?

rex "OfferCode\s:\s(?P<OfferCode>\S+)"
Is that enough?

By the way, what's OfferId ?

0 Karma

s0m073r
Engager

let me give my complete requirement:

exce.msg=ServiceException:No valid XXXx for OfferId : ASRDAVS32@#4sdfsf

can you please now help me getting the extract of the Offerid field alone with the code?

0 Karma

to4kawa
Ultra Champion

@s0m073r
I see, my answer is updated. please confirm.

0 Karma

vnravikumar
Champion

Hi

Try this

| makeresults 
| eval temp="exce.msg=ServiceException:No valid XXXx for OfferId : ASRDAVS32@#4sdfsf" 
| rex field=temp "OfferId\s+:\s+(?P<id>[^@#]+)"
0 Karma

s0m073r
Engager

Error in 'makeresults' command: This command must be the first command of a search.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

0 Karma

vnravikumar
Champion

You no need of makeresults command, here i had used to create dummy event. | rex field=temp "OfferId\s+:\s+(?P<id>[^@#]+)" is enough. In that instead of temp you give actual field name.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...