Splunk Search

Rex - Extract till first set of numbers

harshal_chakran
Builder

Hi,
I have following values in field - DATA for which I want to extract text from start till the first set of number.

ABCD_EFG_HIJ_9998_LNM_HASJ_kasldj_a781-4413-7708
ABCD_EFG_4039_DATA_LOST_SAMPLE
FG_GG_1386_NUM125679_HR_1111_GHH_KSN_JASKK
ABCD_EFG_4039_DATA_7837_LOST_SAMPLE
XYZ_1920_MM_KK_LL_DATAFORMAT_SAMPLE

What I want is to extract till first set of number, wherever it occurs, i.e.
ABCD_EFG_HIJ_9998
ABCD_EFG_4039
FG_GG_1386
ABCD_EFG_4039
XYZ_1920

Following rex I have tried : rex field=DATA "(?<EXTRACTED_DATA>.*\d{4})\_" , also the Splunk provided field extraction but no luck.

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

Hi,

If I understand correctly, you just want to extract everything from start until the first set of numbers, but include that set of numbers in your token right?

In that case, this is the regex I would use:

^(?<EXTRACTED_DATA>\D+\d+)

Example:

| makeresults
| eval DATA = "ABCD_EFG_HIJ_9998_LNM_HASJ_kasldj_a781-4413-7708"
| rex field=DATA "^(?<EXTRACTED_DATA>\D+\d+)"

Output (see picture below):

alt text

Thanks,
J

View solution in original post

javiergn
SplunkTrust
SplunkTrust

Hi,

If I understand correctly, you just want to extract everything from start until the first set of numbers, but include that set of numbers in your token right?

In that case, this is the regex I would use:

^(?<EXTRACTED_DATA>\D+\d+)

Example:

| makeresults
| eval DATA = "ABCD_EFG_HIJ_9998_LNM_HASJ_kasldj_a781-4413-7708"
| rex field=DATA "^(?<EXTRACTED_DATA>\D+\d+)"

Output (see picture below):

alt text

Thanks,
J

harshal_chakran
Builder

Thanks, this work for me.
Yes, I wanted the extraction to include first set of number.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi harshal_chakranarayan,
try this regex

| rex "^(?<my_field>[^0-9]*)"

you can test it at https://regex101.com/r/mkbCMt/1

Bye.
Giuseppe

0 Karma

harshal_chakran
Builder

Thanks for the answer, but I want the extraction including the first set of number

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...