Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- rex Named extraction for acronyms that have 4 lett...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm trying to create a named extraction and want to use regex to find all instance of 4 letter acronyms that are all capitol letters.
i.e.: ABCD, DEFG, HIJK, LMNO.
Needs to find only 4 consecution letters that are all CAPS.
Anyone able to provide an example for the syntax I need?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The regex you need is just the following
[A-Z]{4}
In terms of the named extraction you are talking about it all depends where you want to do this.
If you are happy to do it in SPL simply use rex:
your query here
| rex field=YOUR_FIELD_WITH_ACRONMYS "(?<named_field>[A-Z]{4})"
Which will create a new field called "named_field".
If you are expecting more than 1 match in a single event then use max_match=0 in your rex command. It'll then create "named_field" as a multivalue field.
If you want to do this in props.conf and/or transforms.conf I would recommend you read the following doc as again, it all depends on your use case and I don't have enough information to give you a decent advice:
EXAMPLES
This might be the simplest one of all in props.conf:
EXTRACT-acronyms = (?<named_field>[A-Z]{4})
If you wanted that multivalue you could use REPORT in props.conf and then elaborate the extraction in transforms.conf:
# props.conf
[your_sourcetype]
REPORT-acronyms = mv_acronyms
# transforms.conf
[mv_acronyms]
REGEX = (?<named_field>[A-Z]{4})
MV_ADD = true
Hope that helps as a start,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The regex you need is just the following
[A-Z]{4}
In terms of the named extraction you are talking about it all depends where you want to do this.
If you are happy to do it in SPL simply use rex:
your query here
| rex field=YOUR_FIELD_WITH_ACRONMYS "(?<named_field>[A-Z]{4})"
Which will create a new field called "named_field".
If you are expecting more than 1 match in a single event then use max_match=0 in your rex command. It'll then create "named_field" as a multivalue field.
If you want to do this in props.conf and/or transforms.conf I would recommend you read the following doc as again, it all depends on your use case and I don't have enough information to give you a decent advice:
EXAMPLES
This might be the simplest one of all in props.conf:
EXTRACT-acronyms = (?<named_field>[A-Z]{4})
If you wanted that multivalue you could use REPORT in props.conf and then elaborate the extraction in transforms.conf:
# props.conf
[your_sourcetype]
REPORT-acronyms = mv_acronyms
# transforms.conf
[mv_acronyms]
REGEX = (?<named_field>[A-Z]{4})
MV_ADD = true
Hope that helps as a start,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@agoktas please do not forget to accept an answer if you are happy with it
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
