Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regular expression in Datamodel attribute

snemiro_514
Path Finder
‎12-11-2014 10:02 AM

Hi splunkers,

I need to create a new attribute in one datamodel. I think I don't understand the syntax or what's going on.

The field tranID contains two letters and a number (FR82734, WR293482) . I need a new field auxTranID containing only the number portion...so this is what I did:

In the search box:

| datamodel DATATEST TRAN search | rex field="TRAN.tranID" (? New FIELD NAME BETWEEN ANGLE BRACKETS \d+)"

Then I have a new field auxTranID with the proper numeric value.

If I go to the add attribute feature in the datamodel definition and I add a rex expression selecting the field tranID and writting "(? New FIELD NAME BETWEEN ANGLE BRACKETS \d+)" in the regex field, I don't see the new field in the object.

What am I doing wrong?

Thanks!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

snemiro_514
Path Finder
‎12-11-2014 10:43 AM

Wow.

I've removed the quotes and it started working.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

snemiro_514
Path Finder
‎12-11-2014 10:43 AM

Wow.

I've removed the quotes and it started working.

View solution in original post

0 Karma
Reply
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Get Updates on the Splunk Community!