Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- regex question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to get exactly 10 digits which might be between white spaces or symbols etc:
1234567890
,234567890 , 1234567890
:1234567890
etc etc
but not 10 digits from a string of 11+ digits etc
There are no unique digits within these 10 digit ID's I am trying to identify. I am just trying to get as close as possible without generating to many false positives
TIA
TIA
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @nathanluke86,
Assuming I fully understood your requirements, the following SPL should do the trick:
| rex max_match=0 "\b(?<id>\d{10})\b"
| mvexpand id
Max match will capture any occurrences of 10 digits in you event and place the values into a multivalued field named id. You can then expand id if you want those multivalue fields to be displayed individually or just leave them as they are.
Hope that makes sense.
Regards,
J
Edited: fixing a typo on the regex as I couldn't test this on a Splunk instance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=yours
| regex "\b\d{10})\b"
| rex max_match=0 "\b(?<id>\d{10})\b"
at first, search what you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @nathanluke86,
Assuming I fully understood your requirements, the following SPL should do the trick:
| rex max_match=0 "\b(?<id>\d{10})\b"
| mvexpand id
Max match will capture any occurrences of 10 digits in you event and place the values into a multivalued field named id. You can then expand id if you want those multivalue fields to be displayed individually or just leave them as they are.
Hope that makes sense.
Regards,
J
Edited: fixing a typo on the regex as I couldn't test this on a Splunk instance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @nathanluke86, don't forget to accept one of the answers if your problem is now solved.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @nathanluke86,
could you share an example of your logs?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gcusello
I don't have specific logs to search. I just need to search all indexes index=* for exactly 10 digit strings that are between white spaces or symbols as above
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @nathanluke86,
you could use something like this:
index=your_index
| rex max_match=0 "\b(?<your_id>\d{10})\b"
Ciao.
Giuseppe
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
