Other Usage

RegEx Help - how to extract the numbers from string?

madhav_dholakia
Contributor

Hi,

For given sample data set, how can I extract all the numbers (will be always 3 digits) from desc?

 

 

 

| makeresults
| eval desc="Frankfurt (123) & Saarbrucken (456), Germany - Primary down / Secondary down"
| append
[| makeresults 
| eval desc="Frankfurt (123), Saarbrucken (456), Frankfurt Zeil (789) & Kaiserslautern (012), Germany - Primary up / Secondary up"]
| append
[| makeresults 
| eval desc="Test - Creteil - (123) - France - Primary Up // Secondary Up"]
| append
[| makeresults 
| eval desc="All devices at 456 London, England are alerting as down and unreachable"]
| append
[| makeresults 
| eval desc="Test - 123-Clonmel ( Ireland) - Primary DOWN / Secondary UP/ Switch UP"]

 

 

 

 

output required:

madhav_dholakia_0-1687328137734.png

 

can you please suggest regex I can use for the same?

Thank you.

Labels (1)
Tags (2)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@madhav_dholakia 

Can you please try the below search?

YOUR_SEARCH
    | rex field=desc "(?<loc>\d+)" max_match=0
    | eval loc = mvjoin(loc,",")

 

My Sample Search :

| makeresults 
| eval desc="Frankfurt (123) & Saarbrucken (456), Germany - Primary down / Secondary down" 
| append 
    [| makeresults 
    | eval desc="Frankfurt (123), Saarbrucken (456), Frankfurt Zeil (789) & Kaiserslautern (012), Germany - Primary up / Secondary up"] 
| append 
    [| makeresults 
    | eval desc="Test - Creteil - (123) - France - Primary Up // Secondary Up"] 
| append 
    [| makeresults 
    | eval desc="All devices at 456 London, England are alerting as down and unreachable"] 
| append 
    [| makeresults 
    | eval desc="Test - 123-Clonmel ( Ireland) - Primary DOWN / Secondary UP/ Switch UP"]
    | rex field=desc "(?<loc>\d+)" max_match=0
    | eval loc = mvjoin(loc,",")
|table loc

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

View solution in original post

madhav_dholakia
Contributor

thanks @kamlesh_vaghela and @ITWhisperer for prompt response. worked like a charm.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval desc="Frankfurt (123) & Saarbrucken (456), Germany - Primary down / Secondary down"
| append
[| makeresults 
| eval desc="Frankfurt (123), Saarbrucken (456), Frankfurt Zeil (789) & Kaiserslautern (012), Germany - Primary up / Secondary up"]
| append
[| makeresults 
| eval desc="Test - Creteil - (123) - France - Primary Up // Secondary Up"]
| append
[| makeresults 
| eval desc="All devices at 456 London, England are alerting as down and unreachable"]
| append
[| makeresults 
| eval desc="Test - 123-Clonmel ( Ireland) - Primary DOWN / Secondary UP/ Switch UP"]
| rex max_match=0 field=desc "(?<loc>\d{3})"
| eval loc=mvjoin(loc,",")

kamlesh_vaghela
SplunkTrust
SplunkTrust

@madhav_dholakia 

Can you please try the below search?

YOUR_SEARCH
    | rex field=desc "(?<loc>\d+)" max_match=0
    | eval loc = mvjoin(loc,",")

 

My Sample Search :

| makeresults 
| eval desc="Frankfurt (123) & Saarbrucken (456), Germany - Primary down / Secondary down" 
| append 
    [| makeresults 
    | eval desc="Frankfurt (123), Saarbrucken (456), Frankfurt Zeil (789) & Kaiserslautern (012), Germany - Primary up / Secondary up"] 
| append 
    [| makeresults 
    | eval desc="Test - Creteil - (123) - France - Primary Up // Secondary Up"] 
| append 
    [| makeresults 
    | eval desc="All devices at 456 London, England are alerting as down and unreachable"] 
| append 
    [| makeresults 
    | eval desc="Test - 123-Clonmel ( Ireland) - Primary DOWN / Secondary UP/ Switch UP"]
    | rex field=desc "(?<loc>\d+)" max_match=0
    | eval loc = mvjoin(loc,",")
|table loc

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...