Hi have a scenario, where I would like to extract the field OfferCode which has space after and before the code:
OfferCode : XYZAQERWSD
Please help with rex command to extract this field OfferCode
An easier way honestly is to use "erex", which is a hidden gem.
Pipe your search to this:
| erex offercode examples="XYZAQERWSD"
Wait for the search to complete, then look at the job inspector. At the top it will provide the regex necessary to find the value you are looking for. Example:
You can also use "counterexamples" to exclude results.
https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Erex
An easier way honestly is to use "erex", which is a hidden gem.
Pipe your search to this:
| erex offercode examples="XYZAQERWSD"
Wait for the search to complete, then look at the job inspector. At the top it will provide the regex necessary to find the value you are looking for. Example:
You can also use "counterexamples" to exclude results.
https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Erex
thank you, it worked.
thank you all for helping
Glad to help!
Hi s0m073r,
Pls try below regex command.
rex field = _raw "\OfferCode\s:\s(?P<OfferCode>[^\s+]+)"
Hi
Try this also
| makeresults
| eval temp="OfferCode : XYZAQERWSD"
| regex temp="OfferCode\s:"
| eval result=mvindex(trim(split(temp,":")),-1)
I agree. but there is unclear field.
Hi @to4kawa
getting this:
**
Error in 'SearchParser': Missing a search command before '|'. Error at position '84' of search query 'search index=XXXX CheckoutBizException:...{snipped} {errorcontext = OfferId| | rex field}'.**
@s0m073r
{errorcontext = OfferId| | rex field
|
is double.
Sample:
| makeresults
| eval _raw="exce.msg=ServiceException:No valid XXXx for OfferId : ASRDAVS32@#4sdfsf"
| rex "OfferId\s:\s(?P<OfferCode>\S+)"
| rex "OfferId\s:\s(?P<OfferCode>\S+)"
Hi, @s0m073r
How about this?
If your default _raw
contains your sample code , rex
works
@to4kawa
tried with
*rex field=Offers "OfferId\s:\s(?P\S+)" *
But there is no field getting created to view the list, I can see no errors though
@s0m073r
Does Offers
contain "OfferCode : XYZAQERWSD" ?
rex "OfferCode\s:\s(?P<OfferCode>\S+)"
Is that enough?
By the way, what's OfferId
?
let me give my complete requirement:
exce.msg=ServiceException:No valid XXXx for OfferId : ASRDAVS32@#4sdfsf
can you please now help me getting the extract of the Offerid field alone with the code?
@s0m073r
I see, my answer is updated. please confirm.
Hi
Try this
| makeresults
| eval temp="exce.msg=ServiceException:No valid XXXx for OfferId : ASRDAVS32@#4sdfsf"
| rex field=temp "OfferId\s+:\s+(?P<id>[^@#]+)"
Error in 'makeresults' command: This command must be the first command of a search.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
You no need of makeresults command, here i had used to create dummy event. | rex field=temp "OfferId\s+:\s+(?P<id>[^@#]+)"
is enough. In that instead of temp
you give actual field name.