Solved: regex question

splunk_novice99 · ‎10-18-2023

Hello Experts,

I'm trying to work out how to strip down a field

field="blah_6chars_blah_blah"

the 6chars is what I want to extract and the 6 chars are always prefixed with 999.
the 6 chars prefixed with 999 might be in a different place in the field. i.e. blah_blah_6chars_blah

6chars example value=999aaa

so the regex should find all occurences of 999 in the field and extract the 999 and the next 3 chars and create an additional field with the result

Thanks

isoutamo · ‎10-18-2023

Hi

you could try this

...
| rex field=field "(?<foo>999[a-zA-Z0-9]{3})_*"

Then you have this in field foo. You should change [a-ZA-Z0-9] if those 3 characters could be something else than those.

r. Ismo

View solution in original post

yuanliu · ‎10-18-2023

You need to be precise in data description. I assume that the six characters starting with 999 are bounded by underscore (_), beginning of the string, or end of the string. Something like the following would do

| rex field=field "^([^_]+_)*(?<six_char>999.{3})(_[^_]+)*$"

Here is an emulation you can play with and compare with real data.

| makeresults
| fields - _time
| eval field=mvappend("blah_999ars_blah_blah", "blah_blah_999cha_blah", "9996ch_blah_blah_blah", "blah_blah_blah_999har")
| mvexpand field
``` data emulation above ```

isoutamo · ‎10-18-2023

Hi

you could try this

...
| rex field=field "(?<foo>999[a-zA-Z0-9]{3})_*"

Then you have this in field foo. You should change [a-ZA-Z0-9] if those 3 characters could be something else than those.

r. Ismo

regex question

regex

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...