Splunk Search

how to use the rex command to extract data when we have space

s0m073r
Engager

Hi have a scenario, where I would like to extract the field OfferCode which has space after and before the code:

OfferCode : XYZAQERWSD

Please help with rex command to extract this field OfferCode

0 Karma
1 Solution

codebuilder
Influencer

An easier way honestly is to use "erex", which is a hidden gem.

Pipe your search to this:

| erex offercode examples="XYZAQERWSD"

Wait for the search to complete, then look at the job inspector. At the top it will provide the regex necessary to find the value you are looking for. Example: alt text

You can also use "counterexamples" to exclude results.

https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Erex

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

codebuilder
Influencer

An easier way honestly is to use "erex", which is a hidden gem.

Pipe your search to this:

| erex offercode examples="XYZAQERWSD"

Wait for the search to complete, then look at the job inspector. At the top it will provide the regex necessary to find the value you are looking for. Example: alt text

You can also use "counterexamples" to exclude results.

https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Erex

----
An upvote would be appreciated and Accept Solution if it helps!

s0m073r
Engager

thank you, it worked.
thank you all for helping

0 Karma

codebuilder
Influencer

Glad to help!

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

abhijeet01
Path Finder

Hi s0m073r,

Pls try below regex command.

rex field = _raw "\OfferCode\s:\s(?P<OfferCode>[^\s+]+)"
0 Karma

vnravikumar
Champion

Hi

Try this also

| makeresults 
| eval temp="OfferCode : XYZAQERWSD" 
| regex temp="OfferCode\s:" 
| eval result=mvindex(trim(split(temp,":")),-1)
0 Karma

to4kawa
Ultra Champion

I agree. but there is unclear field.

0 Karma

s0m073r
Engager

Hi @to4kawa
getting this:
**
Error in 'SearchParser': Missing a search command before '|'. Error at position '84' of search query 'search index=XXXX CheckoutBizException:...{snipped} {errorcontext = OfferId| | rex field}'.**

0 Karma

to4kawa
Ultra Champion

@s0m073r

 {errorcontext = OfferId| | rex field

| is double.

0 Karma

to4kawa
Ultra Champion

Sample:

| makeresults 
| eval _raw="exce.msg=ServiceException:No valid XXXx for OfferId : ASRDAVS32@#4sdfsf" 
| rex  "OfferId\s:\s(?P<OfferCode>\S+)"

cf. makeresults

| rex "OfferId\s:\s(?P<OfferCode>\S+)"
Hi, @s0m073r
How about this?

If your default _raw contains your sample code , rex works

0 Karma

s0m073r
Engager

@to4kawa
tried with
*rex field=Offers "OfferId\s:\s(?P\S+)" *

But there is no field getting created to view the list, I can see no errors though

0 Karma

to4kawa
Ultra Champion

@s0m073r
Does Offers contain "OfferCode : XYZAQERWSD" ?

rex "OfferCode\s:\s(?P<OfferCode>\S+)"
Is that enough?

By the way, what's OfferId ?

0 Karma

s0m073r
Engager

let me give my complete requirement:

exce.msg=ServiceException:No valid XXXx for OfferId : ASRDAVS32@#4sdfsf

can you please now help me getting the extract of the Offerid field alone with the code?

0 Karma

to4kawa
Ultra Champion

@s0m073r
I see, my answer is updated. please confirm.

0 Karma

vnravikumar
Champion

Hi

Try this

| makeresults 
| eval temp="exce.msg=ServiceException:No valid XXXx for OfferId : ASRDAVS32@#4sdfsf" 
| rex field=temp "OfferId\s+:\s+(?P<id>[^@#]+)"
0 Karma

s0m073r
Engager

Error in 'makeresults' command: This command must be the first command of a search.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

0 Karma

vnravikumar
Champion

You no need of makeresults command, here i had used to create dummy event. | rex field=temp "OfferId\s+:\s+(?P<id>[^@#]+)" is enough. In that instead of temp you give actual field name.

0 Karma
Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...