Splunk Search

rex field extraction

swetasoneji
New Member

How would I extract account number here,

message:Receiving exp from: Long URL /Eex for account(s): 8768

rex field=_raw "Exposure for account(s):\s+(?[^,]+)"

It neither brings result nor error.

Tags (1)
0 Karma
1 Solution

FrankVl
Ultra Champion

Your message sample says /Eex, your regex starts with "Exposure". Is that just a typo or so in your sample, otherwise that could be one of the issues.

Also:

  • If you want to actually match a ( character, you need to escape it
  • your capturing group needs to be named, such that it will get put into a field

To keep it simple (you can enhance it if you need), something like this should work:

| rex field=_raw "account\(s\):\s+(?<account_number>\d+)"

See also: https://regex101.com/r/ELFlV3/1

View solution in original post

0 Karma

TISKAR
Builder

Yes, its easy this

| makeresults 
      | eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 7293,7243BMKTL, 8987,5787JHR"
      | rex field=_raw "Eex for account\(s\):\s+(?<accounts>.*)"
 | makemv delim="," accounts
 | mvexpand accounts
| rex field=accounts "(?\d+)"
0 Karma

swetasoneji
New Member

that above won't help. As I'm extracting info from logs and we're limited here.
thus need to extract with rex

'| rex field=_raw "account(s):\s+(?\d+)"'

this is correct but it's taking only digit however my accounts are with numbers and digit. Also there is text after that too, which would like to eliminate and limit to accounts only.

0 Karma

TISKAR
Builder

| makeresults
| eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 7293,7243BMKTL, 8987,5787JHR"
| rex field=_raw "Eex for account(s):\s+(?.*)"
| makemv delim="," accounts
| mvexpand accounts
| rex field=accounts "(?\d+)"

0 Karma

TISKAR
Builder

Hello,

To take a multivalues, you can use makemv and mvexpand command:

| makeresults 
     | eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 7293,7243BMKTL, 8987,5787JHR"
     | rex field=_raw "Eex for account\(s\):\s+(?<accounts>.*)"
| makemv delim="," accounts
| mvexpand accounts

If that'd work please accept the anwser to help another person with some problem

0 Karma

TISKAR
Builder

Hey,

What are doing it's correct you must juste add \ to ( like n\(s\), and add name of field extract like ?\<accounts\>, for example:

| makeresults 
| eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 8768"
| rex field=_raw "Eex for account\(s\):\s+(?<accounts>[^,]+)"
0 Karma

swetasoneji
New Member

I'm actually trying to do this.
https://regex101.com/r/ELFlV3/1

I want to only take accounts. Don't want take any text after that.

0 Karma

elliotproebstel
Champion

It sounds like your event might have more data after the account number(s). Can you paste a full sample event, so that we can help you figure out how to extract all account numbers but not the text after the accounts?

0 Karma

TISKAR
Builder

You can test directly in Splunk, that take only number not texte, copie and past all the request in Search bar

0 Karma

swetasoneji
New Member

Manage to work it up:

https://regex101.com/r/ELFlV3/1

Thanks all for your help.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@swetasoneji If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

FrankVl
Ultra Champion

Your message sample says /Eex, your regex starts with "Exposure". Is that just a typo or so in your sample, otherwise that could be one of the issues.

Also:

  • If you want to actually match a ( character, you need to escape it
  • your capturing group needs to be named, such that it will get put into a field

To keep it simple (you can enhance it if you need), something like this should work:

| rex field=_raw "account\(s\):\s+(?<account_number>\d+)"

See also: https://regex101.com/r/ELFlV3/1

0 Karma

swetasoneji
New Member

Thanks a lot.

This worked | rex field=_raw "account(s):\s+(?\d+)"

But let's if I've multiple accounts here..7293,7243BMKTL, 8987,5787JHR

0 Karma

FrankVl
Ultra Champion

What do you want to do with multiple account numbers? Take the first one? Take them all and make it a multi value field?

0 Karma

swetasoneji
New Member

how to make multi value field

0 Karma

swetasoneji
New Member

https://regex101.com/r/ELFlV3/1

Don't want to take sample test run in my result:

Final result would be 8768,789JRH,789JRH,789JRH,7854JRH

0 Karma

niketn
Legend

@swetasoneji, following is a run anywhere search based on the sample data to fetch account.

| makeresults
| eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 8768"
| rex "\/Eex for account\(s\):\s(?<accounts>.*)"

Based on your data and partial rex seems like if there are multiple accounts they would be comma separated. Can you please add another sample for multiple accounts?

You can try the following run anywhere search if multiple accounts are comma separated.

| makeresults
| eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 8768.8851,8423"
| rex "\/Eex for account\(s\):\s(?<accounts>.*)"
| makemv accounts delim=","
| mvexpand accounts

Following is the like from regex101.com for you to test regular expression with your sample data and alsi understand how regular expression is working: https://regex101.com/r/m1dGQZ/1
While posting sample data or Code here on Splunk Answers you can click the code button which looks like 101010, you can also try shortcut CTRL+K after highlighting the code/data, or in worst case press an enter before typing the code and add four spaces before every line of the code/data to enable code section. If you do not do the same special characters will get escaped.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@swetasoneji, have you tried the answer above with run anywhere example?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

swetasoneji
New Member

this doesn't fit with the search I'm using it.

https://regex101.com/r/ELFlV3/1

But don't want anything from sample test run.

Result should be:8768,789JRH,789JRH,789JRH,7854JRH

0 Karma

swetasoneji
New Member

rex field=_raw "Eex for account(s):\s+(?[^,]+)"

0 Karma

elliotproebstel
Champion

Try using the code 101010 button or wrapping your rex command with backticks.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...