Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a regular expression to extract this string from four types of patterns in my sample data?

virtualme
New Member
‎06-18-2016 11:57 PM

Hi,

I have the following 4 kinds of text in logs in a single file. I want to extract the string - Customer Num (starting with a number and followed by letters). I wish to write 1 single regex search which can handle all types of logs.

I have been able to handle & extract the Customer Number from first 3 types of pattern (one regex for each row, which is not optimal), but the fourth is turning to be a problem because it is sort of a superset of the two lines of log..

Log Text -
"/GW_SS/SPut/s/123abc/
"/GW_SS/SPut/icam/165abc/
/GW_SS/GtImFile/2245dbvf/ngH
"/GW_SS/123xy/GetPendingP"
"/GW_SS/009876/connectInfo"
I have to extract "123abc" / "165abc", "2245dbvf" , "123xy" & "009876" which is a Customer ID from each row of logs. This string I need to extract always begins with a number, and have letters following it..

Can someone please help.. I want to manage all these with 1 single regex..

0 Karma
Reply

sundareshr
Legend
‎06-20-2016 03:55 PM

This should capture all scenarios

\/(?<user>\d+\w*)
0 Karma
Reply

virtualme
New Member
‎06-20-2016 08:51 PM

Hey.. Thanks for the answer.. It's good as a regular expression, but for some reason isn't working out in Splunk.. The "/" expression makes the results go haywire..

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-19-2016 11:30 AM

This regex string works with your sample data

 (?<user>\d+\w+)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ddrillic
Ultra Champion
‎06-19-2016 02:44 PM

Work like a charm -

base search 
| eval data="/GW_SS/SPut/s/123abc/"
| rex  field=data "(?<user>\d+\w+)"
0 Karma
Reply

virtualme
New Member
‎06-20-2016 02:48 PM

Thanks for your response... This serves the the type 4 & 5 of the logs...
Although I have reg-ex for the first 3 types, I am looking for a solution wherein I can handle all 4 types in 1 single reg-ex to extract the Customer ID..
Do you think its possible?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-19-2016 03:15 PM

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

virtualme
New Member
‎06-20-2016 02:50 PM

Thanks for your response... This serves the the type 4 & 5 of the logs...
Although I have reg-ex for the first 3 types, I am looking for a solution wherein I can handle all 4 types in 1 single reg-ex to extract the Customer ID..
Do you think its possible?

0 Karma
Reply

ddrillic
Ultra Champion
‎06-20-2016 03:52 AM

Not my question ; -)

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...