Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I extract values starting with a specific name using regex?

Shan
Builder
‎08-22-2018 10:01 PM

Hi All,

Kindly help me with regex for below sample data.
Its only a sample there might be some other pattern of data.
I need to extract only the values starting with INC eg(INC000013444216,INC000033109432,INC000000000958,INC000014660933) and store in a separate field.

DESCRIPTION"Request Information ticket no.: INC000013444216"
DESCRIPTION"Gathered Info ticket no.:INC000033109432 & the bad data."
DESCRIPTION"DDD D Required Informed ticket no.:INC000000000958 "
DESCRIPTION"Defined Info ticket no.:INC000013444444 hsdcgs and FRGHBB" 
DESCRIPTION"DD DS Access of the ticket no.:INC000000000958 and INC000014660933"
DESCRIPTION"Self comment ticket no.: INC000014141414 & INC000014071414"
DESCRIPTION"Known data ticket no.: INC000014222242 (INC000014555536)"
DESCRIPTION"Other DB ticket no.: INC000013777778 | 6020359"
DESCRIPTION"My Data base ticket no.:INC000013788880 and INC000013999916"
DESCRIPTION"Stay For the Information ticket no.: INC000013111117 | INC000013123418 "
DESCRIPTION"Check Info ticket no.: INC000012345597 INC000000003596 INC000009873598 INC000067893599"
DESCRIPTION"Correct Informed ticket no.:INC000045675462, INC000009878538 "
DESCRIPTION"All Information ticket no.:INC000067898690 (5393953), INC000011114463 (5536973) and more"

Thanks in advance 🙂

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎08-22-2018 10:16 PM

@shankarananth Some of your events have more than one INC#####, do you want to extract all? Also There is one event with | 6020359. Is that INC as well?

Can you try the following run anywhere example?

| makeresults
| eval description=" DESCRIPTION\"Request Information ticket no.: INC000013444216\";
 DESCRIPTION\"Gathered Info ticket no.:INC000033109432 & the bad data.\";
 DESCRIPTION\"DDD D Required Informed ticket no.:INC000000000958 \";
 DESCRIPTION\"Defined Info ticket no.:INC000013444444 hsdcgs and FRGHBB\"; 
 DESCRIPTION\"DD DS Access of the ticket no.:INC000000000958 and INC000014660933\";
 DESCRIPTION\"Self comment ticket no.: INC000014141414 & INC000014071414\";
 DESCRIPTION\"Known data ticket no.: INC000014222242 (INC000014555536)\";
 DESCRIPTION\"Other DB ticket no.: INC000013777778 | 6020359\";
 DESCRIPTION\"My Data base ticket no.:INC000013788880 and INC000013999916\";
 DESCRIPTION\"Stay For the Information ticket no.: INC000013111117 | INC000013123418 \";
 DESCRIPTION\"Check Info ticket no.: INC000012345597 INC000000003596 INC000009873598 INC000067893599\";
 DESCRIPTION\"Correct Informed ticket no.:INC000045675462, INC000009878538 \";
 DESCRIPTION\"All Information ticket no.:INC000067898690 (5393953), INC000011114463 (5536973) and more\""
| makemv description delim=";"
| mvexpand description
| rex field="description" "(?<IncidentNumber>INC\d+)" max_match=0

max_match=0 extracts multiple Incident Numbers. If you remove the argument it will extract only first occurrence.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎08-22-2018 10:16 PM

@shankarananth Some of your events have more than one INC#####, do you want to extract all? Also There is one event with | 6020359. Is that INC as well?

Can you try the following run anywhere example?

| makeresults
| eval description=" DESCRIPTION\"Request Information ticket no.: INC000013444216\";
 DESCRIPTION\"Gathered Info ticket no.:INC000033109432 & the bad data.\";
 DESCRIPTION\"DDD D Required Informed ticket no.:INC000000000958 \";
 DESCRIPTION\"Defined Info ticket no.:INC000013444444 hsdcgs and FRGHBB\"; 
 DESCRIPTION\"DD DS Access of the ticket no.:INC000000000958 and INC000014660933\";
 DESCRIPTION\"Self comment ticket no.: INC000014141414 & INC000014071414\";
 DESCRIPTION\"Known data ticket no.: INC000014222242 (INC000014555536)\";
 DESCRIPTION\"Other DB ticket no.: INC000013777778 | 6020359\";
 DESCRIPTION\"My Data base ticket no.:INC000013788880 and INC000013999916\";
 DESCRIPTION\"Stay For the Information ticket no.: INC000013111117 | INC000013123418 \";
 DESCRIPTION\"Check Info ticket no.: INC000012345597 INC000000003596 INC000009873598 INC000067893599\";
 DESCRIPTION\"Correct Informed ticket no.:INC000045675462, INC000009878538 \";
 DESCRIPTION\"All Information ticket no.:INC000067898690 (5393953), INC000011114463 (5536973) and more\""
| makemv description delim=";"
| mvexpand description
| rex field="description" "(?<IncidentNumber>INC\d+)" max_match=0

max_match=0 extracts multiple Incident Numbers. If you remove the argument it will extract only first occurrence.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

Shan
Builder
‎08-22-2018 10:27 PM

@niketnilay,

It's working fine.. Thanks for your help :-).
I hope still i need to upgrade myself in many things..

Please convert your comment into answers.. So i can accept it ..

Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎08-23-2018 09:10 AM

I've converted the comment to an answer, so it can now be accepted, @shankarananth.

Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-22-2018 10:13 PM

Assuming that they all have exactly the same number of numbers after them (12)...

  | rex field=_raw max_match=0 "(?<INC_Number>INC\d{12})"

The above will extract all INC numbers in the field _raw and put them in a multivalue field. You can query how many matches were made with... 

| eval MatchCount=coalesce(mvcount(INC_Number),0)

The coalesce will set the count to 0 if there were no matches.

If they can have a range of number lengths, say 10 to 12, then change the \d{12} to \d{10,12}

Reply
Solved! Jump to solution

Shan
Builder
‎08-22-2018 10:32 PM

@ DalJeanis,

I have tried your too its working good ..
A small addition 🙂 ..

 | rex field=_raw max_match=0 "(?<INC_Number>INC\d{12})"

Thanks you ....

Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-26-2018 01:31 PM

@shankarananth - updated. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...