Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

regex question

splunk_novice99
Explorer
‎10-18-2023 11:17 PM

Hello Experts,

I'm trying to work out how to strip down a field 

field="blah_6chars_blah_blah"

the 6chars is what I want to extract and the 6 chars are always prefixed with 999.
the 6 chars prefixed with 999 might be in a different place in the field.  i.e.  blah_blah_6chars_blah

6chars example value=999aaa

so the regex should find  all occurences of 999 in the field and extract the 999 and the next 3 chars and create an additional field with the result

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎10-18-2023 11:27 PM

Hi

you could try this

...
| rex field=field "(?<foo>999[a-zA-Z0-9]{3})_*"

Then you have this in field foo. You should change [a-ZA-Z0-9] if those 3 characters could be something else than those.

r. Ismo 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-18-2023 11:38 PM

You need to be precise in data description.  I assume that the six characters starting with 999 are bounded by underscore (_), beginning of the string, or end of the string.  Something like the following would do

| rex field=field "^([^_]+_)*(?<six_char>999.{3})(_[^_]+)*$"

Here is an emulation you can play with and compare with real data.

| makeresults
| fields - _time
| eval field=mvappend("blah_999ars_blah_blah", "blah_blah_999cha_blah", "9996ch_blah_blah_blah", "blah_blah_blah_999har")
| mvexpand field
``` data emulation above ```
0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎10-18-2023 11:27 PM

Hi

you could try this

...
| rex field=field "(?<foo>999[a-zA-Z0-9]{3})_*"

Then you have this in field foo. You should change [a-ZA-Z0-9] if those 3 characters could be something else than those.

r. Ismo 

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...