- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract values from a String.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract values from a String.
Hi i have values in a column like AA(15), ABC(20), ADSF(90).Now i need a regular expression which gives me only values before the Bracket"(".
so i should get AA,ABC,ADSF as my output.
Please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this:
/*source*/ | eval new=replace(Track,"\([0-9]*\)","")| table Track,new
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi dsiob,
Thanks, it's working fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, so go back and UpVote and helpful/correct answer and click Accept on the correctest one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try something like this,
source="ABC" sourcetype="csv"|where Level="Lvl3" AND Track="ATL(27)"|rex field=Track mode=sed "s/([^)]*)//"|table "Dom", Track Level
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| makeresults
| eval Track="ATL(27)"
| eval 'ATL(27)'=Track
| rex field="Track" mode=sed "s/\([^)]*\)//"
| rex field='ATL(27)' mode=sed "s/\([^)]*\)//"
| eval "ATLcopy(27)" = Track
| foreach "*copy(*)" [ rename <<FIELD>> AS "<<MATCHSEG1>>copy" ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Woodcock,
Can you please let me know what i am doing wrong here.
Basically i want the string value to print when i use it in Table funciton:
So the output should be "AA" when i pass "AA(27)" as input.
Here is my query:
source="ABC" sourcetype="csv"|where Level="Lvl3" and Track="ATL(27)"|rex field="ATL(27)" mode=sed "s/([^)]*)//"|table "Dom","field"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not at all clear about what you are trying to do but I have updated my answer with a mockup of 3 different guesses all in one search. One of them should be like what you are trying to do. See the updated answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to get rid of the parentheses and the numeric values in them, use something like:
... | rex field=_raw mode=sed "s/\(\d*\)//g"
If you want to do a single field, use the fieldname instead of _raw. The value will be returned without the parenthesis and numbers, leaving the values you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this.. It will extract out only the AA, ABC, ADSF.. This will create the a field called FIELD_NAME.. You can change it to whatever name you want
(?<FIELD_NAME>\w+)\(\d+\)
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
