Splunk Search

How to write regex to extract three digit numbers from a CSV file and assign the values to a new field?

karthikTIL
Path Finder

HI,

I have source file test.csv which has words like "abc-234 " , "456", "df 654", "er567 -ly".
In all the above words, i want to take only three digit numbers and assign to a field called "eng".
Please let me know how would be the regular expression would be?

Tags (2)
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi karthikTIL,

use something like this:

your base search here | rex "(?<eng>\d{3})" | ...

hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi karthikTIL,

use something like this:

your base search here | rex "(?<eng>\d{3})" | ...

hope this helps ...

cheers, MuS

karthikTIL
Path Finder

HI MuS,

sorry, i forgot to add.
All my words occur after "Title #:"
e.g. Title #: df 654

so i used,

your base search here | rex "Title #:(?\d{3})" | ...

but it did not give any result

0 Karma

MuS
SplunkTrust
SplunkTrust

Sure this will not work, because this regex does not match and you did not specify a field name for the group.
Why didn't you try the regex I provided? This will catch all 3 digit numbers, no matter what comes before or after.
But if you really need to match only the Title #: numbers use something like this:

your base search here | rex "Title\s\#\:[\s\w\-]+(?<eng>\d{3})" | ...

and please don't use your base search here as your search, this is only a place holder 😉

karthikTIL
Path Finder

Thanks MuS, it worked now.
actually i specified field in my query earlier, but it was not displayed in my query above:)

0 Karma

MuS
SplunkTrust
SplunkTrust

you're welcome. please mark this as answered if the provided answer was correct - thx

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...