Solved: Regular expression in Datamodel attribute

snemiro_514 · ‎12-11-2014

Hi splunkers,

I need to create a new attribute in one datamodel. I think I don't understand the syntax or what's going on.

The field tranID contains two letters and a number (FR82734, WR293482) . I need a new field auxTranID containing only the number portion...so this is what I did:

In the search box:

| datamodel DATATEST TRAN search | rex field="TRAN.tranID" (? New FIELD NAME BETWEEN ANGLE BRACKETS \d+)"

Then I have a new field auxTranID with the proper numeric value.

If I go to the add attribute feature in the datamodel definition and I add a rex expression selecting the field tranID and writting "(? New FIELD NAME BETWEEN ANGLE BRACKETS \d+)" in the regex field, I don't see the new field in the object.

What am I doing wrong?

Thanks!

snemiro_514 · ‎12-11-2014

Wow.

I've removed the quotes and it started working.

View solution in original post

snemiro_514 · ‎12-11-2014

Wow.

I've removed the quotes and it started working.

Regular expression in Datamodel attribute

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

Regular expression in Datamodel attribute

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I