Solved: How to extract a field that is changing position i...

omuelle1 · ‎10-24-2016

Hi,

I am trying to extract a field that is changing position in the logs and cannot figure out how to extract it.

"<"BusinessPartnerCode>005003"<"/BusinessPartnerCode> (without the quotes)

The entry looks like above and I am trying to get the numbers in between and name the field. When I mark it with the Splunk Field tool it doesn't work correctly, since the entry changes positions in the events.

Thank you.

Oliver

gokadroid · ‎10-24-2016

try:

If it only had quotes at the end like mentioned in question 005003"

yourBaseSearch
| rex "\"\<\"BusinessPartnerCode\>(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"

If it has quote at start and at end "005003"` try:

yourBaseSearch
| rex "\"\<\"BusinessPartnerCode\>\"(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"

View solution in original post

TStrauch · ‎10-24-2016

Add this to the sourcetype stanza in props.conf

EXTRACT-bpc = \<BusinessPartnerCode\>(?<BusinessPartnerCode>\d{6})\<\/BusinessPartnerCode\>

Or you take the way above for extraction during the search.

gokadroid · ‎10-24-2016

try:

If it only had quotes at the end like mentioned in question 005003"

yourBaseSearch
| rex "\"\<\"BusinessPartnerCode\>(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"

If it has quote at start and at end "005003"` try:

yourBaseSearch
| rex "\"\<\"BusinessPartnerCode\>\"(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"

omuelle1 · ‎10-24-2016

Thank you. Actually my number does not have any quotes (just had to put them there because the Splunk website wouldn't allow the brackets otherwise).

Would this be the correct version without quotes?

| rex "\"<\"BusinessPartnerCode>(?[^\"]+)<\"\/BusinessPartnerCode>"

gokadroid · ‎10-24-2016

I was riding the same boat as you few days ago. Use the "code Sample" formatting button from text editor whenever you are putting a text which splunk website is messing up for tags. So for example If i type below, then select it and press "Code Sample" button, it will appear as follows:

rex "\"\<\"BusinessPartnerCode\>(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"

If I type without highlighting and formatting it as "Code Sample" it looks like below:
rex "\"<\"BusinessPartnerCode>(?[^\"]+)\"<\"\/BusinessPartnerCode>"

See how ?<businessCode> disappears in above in comparison to code sample piece.
So use "Code Sample" button and give the exact sample of line for which you want the regex to be modified and I can paste it here in response.

However if there are no quotes in your sample above and your sample then is below:

<BusinessPartnerCode>005003</BusinessPartnerCode>

Then you can use this regex:

 | rex "\<BusinessPartnerCode\>(?<businessCode>[^\<]+)\<\/BusinessPartnerCode\>"

omuelle1 · ‎10-24-2016

Got you, I was wondering what was the trick. Thank you very much.

<BusinessPartnerCode>001999</BusinessPartnerCode>

So what would be the regex without all the quotes? The one I posted isn't highlighting the the 6 digit code.

gokadroid · ‎10-24-2016

| rex "\<BusinessPartnerCode\>(?<businessCode>[^\<]+)\<\/BusinessPartnerCode\>"

I had pasted it above as well in the ending part of the comment later on.

OR alternatively if you wanna focus on the digits part (as above extracts everything till it enounters <, use below. Either should work

| rex "\<BusinessPartnerCode\>(?<businessCode>\d{6})\<\/BusinessPartnerCode\>"

sundareshr · ‎10-24-2016

Is it always the same number? Is it always 6 digits? Please share some sample events.

omuelle1 · ‎10-24-2016

The number is changing but it's always 6 digits.

How to extract a field that is changing position in the logs?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk