Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

regex question

nathanluke86
Communicator
‎04-06-2020 05:32 AM

I am trying to get exactly 10 digits which might be between white spaces or symbols etc:

1234567890
,234567890 , 1234567890
:1234567890

etc etc

but not 10 digits from a string of 11+ digits etc

There are no unique digits within these 10 digit ID's I am trying to identify. I am just trying to get as close as possible without generating to many false positives

TIA

TIA

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-06-2020 06:06 AM

Hi @nathanluke86,

Assuming I fully understood your requirements, the following SPL should do the trick:

| rex max_match=0 "\b(?<id>\d{10})\b"
| mvexpand id

Max match will capture any occurrences of 10 digits in you event and place the values into a multivalued field named id. You can then expand id if you want those multivalue fields to be displayed individually or just leave them as they are.

Hope that makes sense.

Regards,
J

Edited: fixing a typo on the regex as I couldn't test this on a Splunk instance

View solution in original post

Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-06-2020 01:09 PM 
index=yours
| regex "\b\d{10})\b"
| rex max_match=0 "\b(?<id>\d{10})\b"

at first, search what you want.

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-06-2020 06:06 AM

Hi @nathanluke86,

Assuming I fully understood your requirements, the following SPL should do the trick:

| rex max_match=0 "\b(?<id>\d{10})\b"
| mvexpand id

Max match will capture any occurrences of 10 digits in you event and place the values into a multivalued field named id. You can then expand id if you want those multivalue fields to be displayed individually or just leave them as they are.

Hope that makes sense.

Regards,
J

Edited: fixing a typo on the regex as I couldn't test this on a Splunk instance

Reply
Solved! Jump to solution

javiergn
Super Champion
‎04-08-2020 01:59 AM

Hi @nathanluke86, don't forget to accept one of the answers if your problem is now solved.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-06-2020 05:36 AM

Hi @nathanluke86,
could you share an example of your logs?
Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

nathanluke86
Communicator
‎04-06-2020 05:45 AM

@gcusello

I don't have specific logs to search. I just need to search all indexes index=* for exactly 10 digit strings that are between white spaces or symbols as above

Thanks

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-06-2020 06:22 AM

Hi @nathanluke86,
you could use something like this:

index=your_index 
| rex max_match=0 "\b(?<your_id>\d{10})\b"

Ciao.
Giuseppe

Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...