Splunk Search

How to pattern match with the extracted field

Deprasad
Path Finder

I have a report generated with following fields,

Field 1 , Field 2, Field 3.

I have to create an alert based on the Field 1(it's a phone number field which consists 0-9 , - , +, *) value satisfying below condition.

• Number starts with 101 and is greater than 5 digits
• Number starts with *xy101 and is greater than 8 digits
• Number starts with *xy011 and is greater than 8 digits

0 Karma
1 Solution

jpolvino
Builder

Not 100% sure if you are or are not counting the digits you provided in your counts, or if the "xy" is literally "xy", but this matches the examples you provided:

| rex field="Field 1" "^(101)\d{3,}$|^\*xy(101|011)\d{6,}$"

See https://regex101.com/r/0bioQt/1

If this isn't quite right, please post real examples of fields you are looking to match, and ones you want to reject (do not alert on).

View solution in original post

0 Karma

jpolvino
Builder

Not 100% sure if you are or are not counting the digits you provided in your counts, or if the "xy" is literally "xy", but this matches the examples you provided:

| rex field="Field 1" "^(101)\d{3,}$|^\*xy(101|011)\d{6,}$"

See https://regex101.com/r/0bioQt/1

If this isn't quite right, please post real examples of fields you are looking to match, and ones you want to reject (do not alert on).

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You can use the regex command to filter events to those containing the proper number sequence.

... | regex Field1="(^101\d{2,}|^\*xy[10]{2}1\d{6,})" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...