Solved: rex field extraction

swetasoneji · ‎04-18-2018

How would I extract account number here,

message:Receiving exp from: Long URL /Eex for account(s): 8768

rex field=_raw "Exposure for account(s):\s+(?[^,]+)"

It neither brings result nor error.

FrankVl · ‎04-18-2018

Your message sample says /Eex, your regex starts with "Exposure". Is that just a typo or so in your sample, otherwise that could be one of the issues.

Also:

If you want to actually match a ( character, you need to escape it
your capturing group needs to be named, such that it will get put into a field

To keep it simple (you can enhance it if you need), something like this should work:

| rex field=_raw "account\(s\):\s+(?<account_number>\d+)"

See also: https://regex101.com/r/ELFlV3/1

View solution in original post

TISKAR · ‎04-19-2018

Yes, its easy this

| makeresults 
      | eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 7293,7243BMKTL, 8987,5787JHR"
      | rex field=_raw "Eex for account\(s\):\s+(?<accounts>.*)"
 | makemv delim="," accounts
 | mvexpand accounts
| rex field=accounts "(?\d+)"

swetasoneji · ‎04-19-2018

that above won't help. As I'm extracting info from logs and we're limited here.
thus need to extract with rex

'| rex field=_raw "account(s):\s+(?\d+)"'

this is correct but it's taking only digit however my accounts are with numbers and digit. Also there is text after that too, which would like to eliminate and limit to accounts only.

TISKAR · ‎04-19-2018

TISKAR · ‎04-19-2018

Hello,

To take a multivalues, you can use makemv and mvexpand command:

| makeresults 
     | eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 7293,7243BMKTL, 8987,5787JHR"
     | rex field=_raw "Eex for account\(s\):\s+(?<accounts>.*)"
| makemv delim="," accounts
| mvexpand accounts

If that'd work please accept the anwser to help another person with some problem

TISKAR · ‎04-19-2018

Hey,

What are doing it's correct you must juste add \ to ( like n\(s\), and add name of field extract like ?\<accounts\>, for example:

| makeresults 
| eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 8768"
| rex field=_raw "Eex for account\(s\):\s+(?<accounts>[^,]+)"

swetasoneji · ‎04-19-2018

I'm actually trying to do this.
https://regex101.com/r/ELFlV3/1

I want to only take accounts. Don't want take any text after that.

elliotproebstel · ‎04-19-2018

It sounds like your event might have more data after the account number(s). Can you paste a full sample event, so that we can help you figure out how to extract all account numbers but not the text after the accounts?

TISKAR · ‎04-19-2018

You can test directly in Splunk, that take only number not texte, copie and past all the request in Search bar

swetasoneji · ‎04-19-2018

Manage to work it up:

https://regex101.com/r/ELFlV3/1

Thanks all for your help.

richgalloway · ‎04-19-2018

@swetasoneji If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.

FrankVl · ‎04-18-2018

Your message sample says /Eex, your regex starts with "Exposure". Is that just a typo or so in your sample, otherwise that could be one of the issues.

Also:

If you want to actually match a ( character, you need to escape it
your capturing group needs to be named, such that it will get put into a field

To keep it simple (you can enhance it if you need), something like this should work:

| rex field=_raw "account\(s\):\s+(?<account_number>\d+)"

See also: https://regex101.com/r/ELFlV3/1

swetasoneji · ‎04-19-2018

Thanks a lot.

This worked | rex field=_raw "account(s):\s+(?\d+)"

But let's if I've multiple accounts here..7293,7243BMKTL, 8987,5787JHR

FrankVl · ‎04-19-2018

What do you want to do with multiple account numbers? Take the first one? Take them all and make it a multi value field?

swetasoneji · ‎04-19-2018

how to make multi value field

swetasoneji · ‎04-19-2018

https://regex101.com/r/ELFlV3/1

Don't want to take sample test run in my result:

Final result would be 8768,789JRH,789JRH,789JRH,7854JRH

niketn · ‎04-18-2018

@swetasoneji, following is a run anywhere search based on the sample data to fetch account.

| makeresults
| eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 8768"
| rex "\/Eex for account\(s\):\s(?<accounts>.*)"

Based on your data and partial rex seems like if there are multiple accounts they would be comma separated. Can you please add another sample for multiple accounts?

You can try the following run anywhere search if multiple accounts are comma separated.

| makeresults
| eval _raw="message:Receiving exp from: Long URL /Eex for account(s): 8768.8851,8423"
| rex "\/Eex for account\(s\):\s(?<accounts>.*)"
| makemv accounts delim=","
| mvexpand accounts

Following is the like from regex101.com for you to test regular expression with your sample data and alsi understand how regular expression is working: https://regex101.com/r/m1dGQZ/1
While posting sample data or Code here on Splunk Answers you can click the code button which looks like 101010, you can also try shortcut CTRL+K after highlighting the code/data, or in worst case press an enter before typing the code and add four spaces before every line of the code/data to enable code section. If you do not do the same special characters will get escaped.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎04-19-2018

@swetasoneji, have you tried the answer above with run anywhere example?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

swetasoneji · ‎04-19-2018

this doesn't fit with the search I'm using it.

https://regex101.com/r/ELFlV3/1

But don't want anything from sample test run.

Result should be:8768,789JRH,789JRH,789JRH,7854JRH

swetasoneji · ‎04-18-2018

rex field=_raw "Eex for account(s):\s+(?[^,]+)"

elliotproebstel · ‎04-18-2018

Try using the code 101010 button or wrapping your rex command with backticks.

rex field extraction

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...