Hi,
I am trying to extract a field that is changing position in the logs and cannot figure out how to extract it.
"<"BusinessPartnerCode>005003"<"/BusinessPartnerCode> (without the quotes)
The entry looks like above and I am trying to get the numbers in between and name the field. When I mark it with the Splunk Field tool it doesn't work correctly, since the entry changes positions in the events.
Thank you.
Oliver
try:
If it only had quotes at the end like mentioned in question 005003"
yourBaseSearch
| rex "\"\<\"BusinessPartnerCode\>(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"
If it has quote at start and at end "005003"
` try:
yourBaseSearch
| rex "\"\<\"BusinessPartnerCode\>\"(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"
Add this to the sourcetype stanza in props.conf
EXTRACT-bpc = \<BusinessPartnerCode\>(?<BusinessPartnerCode>\d{6})\<\/BusinessPartnerCode\>
Or you take the way above for extraction during the search.
try:
If it only had quotes at the end like mentioned in question 005003"
yourBaseSearch
| rex "\"\<\"BusinessPartnerCode\>(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"
If it has quote at start and at end "005003"
` try:
yourBaseSearch
| rex "\"\<\"BusinessPartnerCode\>\"(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"
Thank you. Actually my number does not have any quotes (just had to put them there because the Splunk website wouldn't allow the brackets otherwise).
Would this be the correct version without quotes?
| rex "\"<\"BusinessPartnerCode>(?[^\"]+)<\"\/BusinessPartnerCode>"
I was riding the same boat as you few days ago. Use the "code Sample" formatting button from text editor whenever you are putting a text which splunk website is messing up for tags. So for example If i type below, then select it and press "Code Sample" button, it will appear as follows:
rex "\"\<\"BusinessPartnerCode\>(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"
If I type without highlighting and formatting it as "Code Sample" it looks like below:
rex "\"<\"BusinessPartnerCode>(?[^\"]+)\"<\"\/BusinessPartnerCode>"
See how ?<businessCode>
disappears in above in comparison to code sample piece.
So use "Code Sample" button and give the exact sample of line for which you want the regex to be modified and I can paste it here in response.
However if there are no quotes in your sample above and your sample then is below:
<BusinessPartnerCode>005003</BusinessPartnerCode>
Then you can use this regex:
| rex "\<BusinessPartnerCode\>(?<businessCode>[^\<]+)\<\/BusinessPartnerCode\>"
Got you, I was wondering what was the trick. Thank you very much.
<BusinessPartnerCode>001999</BusinessPartnerCode>
So what would be the regex without all the quotes? The one I posted isn't highlighting the the 6 digit code.
| rex "\<BusinessPartnerCode\>(?<businessCode>[^\<]+)\<\/BusinessPartnerCode\>"
I had pasted it above as well in the ending part of the comment later on.
OR alternatively if you wanna focus on the digits part (as above extracts everything till it enounters <, use below. Either should work
| rex "\<BusinessPartnerCode\>(?<businessCode>\d{6})\<\/BusinessPartnerCode\>"
Is it always the same number? Is it always 6 digits? Please share some sample events.
The number is changing but it's always 6 digits.