Solved: Using rex to extract one or two character digit fr...

naydenk · ‎10-31-2012

Hello
I am trying to extract some digits from a string and I can't seem to get the regex to work. Here is an example of my strings:

ABC-F1KLMNOP7
ABC-F12KLMNOP8
ABC-F2KLMNOP55
ABC-F14KLMNOP66

I want to be able to extract the 1 or 2 digits, depending on whether there is a single digit or 2, starting at the 6th character (in effect pulling just the 6th, or 6th and 7th). In the strings above, I would expect my rex to match 1, 12, 2 and 14.

What I tried is this:

rex field=host .(?<Farm>(\d{1}))
rex field=host .(?<Farm>(\d{2}))
rex field=host .(?<Farm>(\d{1,2}))

The first one works, but returns only the first character (resulting in 1,1,2,1, in the above example) - this is expected. The second works, but returns a value consisting of 2 digits, missing the ones that have a single digit (resulting in 12, 14 in the above example) - this is also expected. The last rex does not work at all - this is not expected. If I understand correctly, {1,2} means the \d should be matched one or two times. Apparently I am wrong...

I suppose I could also do it with a regex matching the 6th and/or 7th character, but that seems like it would be more complex, and not exactly 'ideal'.

bmacias84 · ‎10-31-2012

@naydenk,

Here you go. I would recommend purchasing RegexBuddy and remember to be specific with regex, it can be costly.

With the sample you provided regex statement match in Python, Perl, and PRCE formats.



\w{3}-\w(?<farm>\d{1,2})\w{5,8}\d{1,3}

regexbuddy

Don't foreget to accept or thumbup answer that help up!
Cheers

View solution in original post

Rob · ‎10-31-2012

To explain your three regexes:

rex field=host .(?<Farm>(\d{1}))

Match any character followed by only one digit. The {1} is unneeded in this particular example as just a \d would be the same.

rex field=host .(?<Farm>(\d{2}))

Match any character followed by 2 digits.

rex field=host .(?<Farm>(\d{1,2}))

Match any character followed by a minimum at least 1 digit and up to 2 digits.

@bmacias84 did a great job matching the entire string you have provided with the above regex. But yes, you can go to the 6th position in the string fairly easily. Consider the following simple regex:

.{5}\d+

It basically says, "lets match any 5 characters followed by one or more digits."

For the search syntax, that would be:

rex field=host ".{5}(?<Farm>\d+)"

tgow · ‎10-31-2012

I would recommend grabbing what is not there. Wondering if this will work:

rex field=host "\w+-\w+(?[^\w]+)[^\n]+"

bmacias84 · ‎10-31-2012

@naydenk,

Here you go. I would recommend purchasing RegexBuddy and remember to be specific with regex, it can be costly.

With the sample you provided regex statement match in Python, Perl, and PRCE formats.



\w{3}-\w(?<farm>\d{1,2})\w{5,8}\d{1,3}

regexbuddy

Don't foreget to accept or thumbup answer that help up!
Cheers

naydenk · ‎10-31-2012

Thank you! Now that I see it, it makes sense... 🙂 I am relatively new to regex and it looks like I still need to learn some key concepts, including how it is used in splunk. Your answer helped clear some things up, in addition to working perfectly, thank you!

Using rex to extract one or two character digit from string

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM