- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- rex Named extraction for acronyms that have 4 lett...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm trying to create a named extraction and want to use regex to find all instance of 4 letter acronyms that are all capitol letters.
i.e.: ABCD, DEFG, HIJK, LMNO.
Needs to find only 4 consecution letters that are all CAPS.
Anyone able to provide an example for the syntax I need?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The regex you need is just the following
[A-Z]{4}
In terms of the named extraction you are talking about it all depends where you want to do this.
If you are happy to do it in SPL simply use rex:
your query here
| rex field=YOUR_FIELD_WITH_ACRONMYS "(?<named_field>[A-Z]{4})"
Which will create a new field called "named_field".
If you are expecting more than 1 match in a single event then use max_match=0 in your rex command. It'll then create "named_field" as a multivalue field.
If you want to do this in props.conf and/or transforms.conf I would recommend you read the following doc as again, it all depends on your use case and I don't have enough information to give you a decent advice:
EXAMPLES
This might be the simplest one of all in props.conf:
EXTRACT-acronyms = (?<named_field>[A-Z]{4})
If you wanted that multivalue you could use REPORT in props.conf and then elaborate the extraction in transforms.conf:
# props.conf
[your_sourcetype]
REPORT-acronyms = mv_acronyms
# transforms.conf
[mv_acronyms]
REGEX = (?<named_field>[A-Z]{4})
MV_ADD = true
Hope that helps as a start,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The regex you need is just the following
[A-Z]{4}
In terms of the named extraction you are talking about it all depends where you want to do this.
If you are happy to do it in SPL simply use rex:
your query here
| rex field=YOUR_FIELD_WITH_ACRONMYS "(?<named_field>[A-Z]{4})"
Which will create a new field called "named_field".
If you are expecting more than 1 match in a single event then use max_match=0 in your rex command. It'll then create "named_field" as a multivalue field.
If you want to do this in props.conf and/or transforms.conf I would recommend you read the following doc as again, it all depends on your use case and I don't have enough information to give you a decent advice:
EXAMPLES
This might be the simplest one of all in props.conf:
EXTRACT-acronyms = (?<named_field>[A-Z]{4})
If you wanted that multivalue you could use REPORT in props.conf and then elaborate the extraction in transforms.conf:
# props.conf
[your_sourcetype]
REPORT-acronyms = mv_acronyms
# transforms.conf
[mv_acronyms]
REGEX = (?<named_field>[A-Z]{4})
MV_ADD = true
Hope that helps as a start,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@agoktas please do not forget to accept an answer if you are happy with it
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
