Solved: REX / REGEX question

dbrown0412 · ‎05-27-2014

Hi all, I am new to splunk. I am trying to extract a field from a line in a record where the field will always begin with a 2 letter state code followed by 8 additional charaters. The record also contains a two letter state field I would like to use as a variable for the extraction search, since the state will vary from record to record. Also the position of this field to be extracted will vary from record to record. I have played with multiple variations of REX and REGEX with EVAL and havent found the answer for reading a variable into the expression, or allowing the extraction position to vary across different records.

Any help would be greatly appreciated.

richgalloway · ‎05-28-2014

If the location of the state varies within the comments field and the format is consistent with your example, then this should find it.

\s+(?<state>[A-Z]{2}[0-9]{8})\s+

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-28-2014

If the location of the state varies within the comments field and the format is consistent with your example, then this should find it.

\s+(?<state>[A-Z]{2}[0-9]{8})\s+

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎05-28-2014

Please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.

dbrown0412 · ‎05-28-2014

Thanks all. Changed the field to _raw and it works great

theouhuios · ‎05-28-2014

Sorry for not seeing your answer when I updated mine 🙂

dbrown0412 · ‎05-28-2014

Yes, the location of CA12345678 will vary within the comments field

theouhuios · ‎05-28-2014

Try this

   (?P<State>[A-Z]{2}[0-9]{8})\s+

theouhuios · ‎05-28-2014

Will the location of CA12345678 also be changing? If not try this "\,\w+\s+\w+\s+(?P[A-Za-z0-9]+)\s+"

dbrown0412 · ‎05-28-2014

Here is an example of what a comments field looks like. The CA12345678 is what I need to extract. The state can vary, as can the location of the data needed with the comments.

FT JOE BB72649 BBB 9998372615 FT REQ ASST W/ACT ANYTHING VALID ABC,CURRENT WORDS CA12345678 NOT ALLOWING NEW BOGUS PHRASES TO GO THROUGH.ADVSD FT.FOO USELESS

richgalloway · ‎05-28-2014

Please provide some sample events (data). At least the comments field.

---
If this reply helps you, Karma would be appreciated.

dbrown0412 · ‎05-28-2014

Hi. Sure. Here is the most recent example I have been working with.

sourcetype=file earliest=-1d@d latest=now |eval temp=STATE | rex field=comments "(?$temp$\S{8})"| stats count as total by field1, field2,field3 | table field1,field2,field3 |sort -total|head 10

If I remove $temp$ and use [NY] for example, I get some valid responses, but it doesn't seem to be handling the varying start position of the data in the record.

MuS · ‎05-27-2014

could you please provide some samples?

REX / REGEX question

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio