Solved: How to capture only string and remove optional dig...

ncrs5699 · ‎04-06-2019

I have a field which has values like below. there are 100+ values for this field, but i just posted 3 sample values. Some values will have digits(6-8) at the end (as shows in the 3rd value- 854623) and some do not have that number. How to capture only the string, but not the number at the end using regex

FKlB2mKprnNYmaeKMLEHuwAAADw --> (for this i need to capture complete string)
XKlB2pQ3Vg7Fc533j7uljgAAAVU --> (for this i need to capture complete string)
FKlB2kZez-O1EvQ8BK-XGAAAAJw-854623 --> (for this i need to capture only the string until jw, i dont need this value -854623)

I tried like this - | rex field=myField (?i)(?P<UUID>.*?)\-(?:\d{6,8}|^.*)
But this is capturing only UUID from the 3rd value, please help

niketn · ‎04-07-2019

@ncrs5699, add the following replace() eval function | eval extracted_value=replace(myField,"(.*)(\-\d+)$","\1") to your existing search with myField. Following is a run anywhere example based on sample data provided and the explanation for extraction:

| makeresults 
| eval myField="FKlB2mKprnNYmaeKMLEHuwAAADw;XKlB2pQ3Vg7Fc533j7uljgAAAVU;FKlB2kZez-O1EvQ8BK-XGAAAAJw-854623" 
| makemv delim=";" myField 
| mvexpand myField
| eval extracted_value=replace(myField,"(.*)(\-\d+)$","\1")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

woodcock · ‎04-07-2019

OK, now that you have clarified it, try this:

| makeresults 
| eval msg="FKlB2mKprnNYmaeKMLEHuwAAADw FKlB2mKprnNYmaeKMLEHuwAAADw-123 XKlB2pQ3Vg7Fc533j7uljgAAAVU-12345 XKlB2pQ3Vg7Fc533j7uljgAAAVU-123456 XKlB2pQ3Vg7Fc533j7uljgAAAVU-1234567 XKlB2pQ3Vg7Fc533j7uljgAAAVU-12345678 XKlB2pQ3Vg7Fc533j7uljgAAAVU-123456789" 
| makemv msg 
| eval myNewField = replace(msg, "\-\d{6,8}$", "")

ncrs5699 · ‎04-07-2019

this one worked as well. thanks

niketn · ‎04-07-2019

@ncrs5699, add the following replace() eval function | eval extracted_value=replace(myField,"(.*)(\-\d+)$","\1") to your existing search with myField. Following is a run anywhere example based on sample data provided and the explanation for extraction:

| makeresults 
| eval myField="FKlB2mKprnNYmaeKMLEHuwAAADw;XKlB2pQ3Vg7Fc533j7uljgAAAVU;FKlB2kZez-O1EvQ8BK-XGAAAAJw-854623" 
| makemv delim=";" myField 
| mvexpand myField
| eval extracted_value=replace(myField,"(.*)(\-\d+)$","\1")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ncrs5699 · ‎04-07-2019

thank you, it worked.

vnravikumar · ‎04-06-2019

Hi

Try this

| makeresults 
 | eval msg="FKlB2mKprnNYmaeKMLEHuwAAADw;XKlB2pQ3Vg7Fc533j7uljgAAAVU;FKlB2kZez-O1EvQ8BK-XGAAAAJw-854623" 
 | makemv delim=";" msg 
 | mvexpand msg 
 | rex field=msg "\-(?P<output>[\d]+$)"

OR

If you are specific to length of digits

| makeresults 
| eval msg="FKlB2mKprnNYmaeKMLEHuwAAADw;FKlB2mKprnNYmaeKMLEHuwAAADw-3435;XKlB2pQ3Vg7Fc533j7uljgAAAVU-223332;FKlB2kZez-O1EvQ8BK-XGAAAAJw-12234354" 
| makemv delim=";" msg 
| mvexpand msg 
| rex field=msg "\-(?P<output>[\d]{6,8}$)"

New: Check this

| makeresults 
 | eval myField="FKlB2mKprnNYmaeKMLEHuwAAADw;XKlB2pQ3Vg7Fc533j7uljgAAAVU;FKlB2kZez-O1EvQ8BK-XGAAAAJw-854623" 
 | makemv delim=";" myField 
 | mvexpand myField
 | rex field=myField "(?P<output>.*[^-\d]+)"

niketn · ‎04-07-2019

@ncrs5699 first rex proposed by @vnravikumar is more accurate as per your requirement. Also, \- is not required if the requirement is to pull all digits when the field value ends with digits. \d+$

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ncrs5699 · ‎04-07-2019

thank you, i have updated my question to make it more clear, also i have 100+ values for this field

How to capture only string and remove optional digits with regex

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases