Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for numbers appearing only after letters in a field?

PDXKiel
Path Finder
‎05-21-2020 10:33 AM

I have a field called CARDFILOGO and I want to search it for ones that start with "JU" and end in numbers. I do not want JU followed by letters so a wild card won't work. What's the best way to get these?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-21-2020 10:40 AM

Try ... | regex CARDFILOGO="JU\d+".

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-21-2020 10:40 AM

Try ... | regex CARDFILOGO="JU\d+".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

PDXKiel
Path Finder
‎05-21-2020 11:03 AM

Would be able to add an additional condition here? I want to get ones starting with JU followed by a number AND ones that start with a "J" followed by numbers.

0 Karma
Reply
Solved! Jump to solution

darrenfuller
Contributor
‎05-21-2020 11:17 AM

| regex CARDFILOGO="JU?\d+"

or

| regex CARDFILOGO="(JU|J)\d+"

0 Karma
Reply
Solved! Jump to solution

PDXKiel
Path Finder
‎05-21-2020 11:29 AM

Thanks, but both of these seem to get me results where there is a "J" followed by digits so it's picking up ones like FJ10, FJ20 and so on...

0 Karma
Reply
Solved! Jump to solution

PDXKiel
Path Finder
‎05-21-2020 12:10 PM

It's long but this seems to get me what I need but I feel like there should be a shorter way to express this:

search CARDFILOGO=JU* OR CARDFILOGO=J0* OR CARDFILOGO=J1* OR CARDFILOGO=J2* OR CARDFILOGO=J3* OR CARDFILOGO=J4* OR CARDFILOGO=J5* OR CARDFILOGO=J6* OR CARDFILOGO=J7* OR CARDFILOGO=J8* OR CARDFILOGO=J9*

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-21-2020 12:14 PM

Try | regex CARDFILOGO="^JU?\d+".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

PDXKiel
Path Finder
‎05-21-2020 12:21 PM

That did it, I also did it this way since I know it's a 4 character field and if it starts with a J it will have to have 3 digits after it:
CARDFILOGO="(J\d\d\d|JU\d\d)"

Thanks again for the help!

0 Karma
Reply
Solved! Jump to solution

PDXKiel
Path Finder
‎05-21-2020 10:45 AM

Brilliant, that worked! Thanks Rich, I didn't know you could use regex like that!

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...