Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

regex question

splunk_novice99
Explorer
‎10-18-2023 11:17 PM

Hello Experts,

I'm trying to work out how to strip down a field 

field="blah_6chars_blah_blah"

the 6chars is what I want to extract and the 6 chars are always prefixed with 999.
the 6 chars prefixed with 999 might be in a different place in the field.  i.e.  blah_blah_6chars_blah

6chars example value=999aaa

so the regex should find  all occurences of 999 in the field and extract the 999 and the next 3 chars and create an additional field with the result

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎10-18-2023 11:27 PM

Hi

you could try this

...
| rex field=field "(?<foo>999[a-zA-Z0-9]{3})_*"

Then you have this in field foo. You should change [a-ZA-Z0-9] if those 3 characters could be something else than those.

r. Ismo 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-18-2023 11:38 PM

You need to be precise in data description.  I assume that the six characters starting with 999 are bounded by underscore (_), beginning of the string, or end of the string.  Something like the following would do

| rex field=field "^([^_]+_)*(?<six_char>999.{3})(_[^_]+)*$"

Here is an emulation you can play with and compare with real data.

| makeresults
| fields - _time
| eval field=mvappend("blah_999ars_blah_blah", "blah_blah_999cha_blah", "9996ch_blah_blah_blah", "blah_blah_blah_999har")
| mvexpand field
``` data emulation above ```
0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎10-18-2023 11:27 PM

Hi

you could try this

...
| rex field=field "(?<foo>999[a-zA-Z0-9]{3})_*"

Then you have this in field foo. You should change [a-ZA-Z0-9] if those 3 characters could be something else than those.

r. Ismo 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...