Hi,
I am trying to extract a field in Splunk but the field extraction doesn't work and throws this error
"The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings."
Therefore I am trying to write the regex myself but I am not really good at regex, so I would you guys help.
I want to skip the first two number in this string and extract the upcoming 6:
0035373112473B CC002017020809521700000001r200000432 SYSTEM 201702081437521
So in this case I want my Field to contain 353731.
This is my current regex but I don't know how I can get it to skip the first two numbers.
(?<ITEM>\s*\s*K\^[0-9][0-9][0-9][0-9][0-9][0-9])
Thank you,
Oliver
Based on your event in the above:
^\d{2}(?<mystring>\d{6})\w+
That looks at the beginning of the line, skips the first 2 digits, and captures the next 6 digits.
Check out this website : https://regex101.com/r/awrCuI/1
Thank you guys!!
Thank you guys, I will need to improve my regex skills since the Field Extractor barely works.
How would I modify the regex if there is white space after the 6 digits?
Like it doesn't match for this case:
00012220 *O082017020900024800000000q0025047000011000000009000000009000000001000000000000000000
You can just use this..
^\w{2}(?<mystring>\d{6})
Here the \w denotes a word space, so all letters upper and lower, numbers, and spaces.. So this will catch events that start with numbers, letters, or spaces x 2
Both worked for me, thank you guys!
Could you guys also help to me how get the *O (It can be any 2 characters) but always at that same position. I tried the same thing you guys told me, but the skipping doesn't work, I assume because there is space in between.
00012220 *O082017020900024800000000q0025047000011000000009000000009000000001000000000000000000
^\w+\s+(?<field>.{2})
might do it?
You can try this...
(\s+|\w+)(?<digits>\d{7})\s+(?<next>\*\w)\w+
This assumes the Patter is also **O*, that is asterisks + Letter.
You should just be able to leave out esixs \w+ if im correct 🙂
In your case it should not matter what is coming after the first 6 digits --whitespaces or some characters since you will always want the digits right after the beginning of the line.
^\d{2}(?<mystring>\d{6})
Based on your event in the above:
^\d{2}(?<mystring>\d{6})\w+
That looks at the beginning of the line, skips the first 2 digits, and captures the next 6 digits.
Check out this website : https://regex101.com/r/awrCuI/1
Hi there,
if your capturing group is already matching, you can just pull the first two digets (\d{2}) out of the capturing group.
just execute this as an example: | makeresults | eval test="0035373112473B" | rex field=test "\d{2}(?<ITEM>\d{6})"
Greetings
Edited the regex 🙂