Re: Regex: Simple Substring for Field Extraction

talismanc · ‎07-30-2011

Hi All

I seem to be having a little issue extracting data from a specific position, the data I am working with have fields that start and end at a specific character position. The automatic generator does a good job but seems to miss some data and therefore would simply like to add fields based on character position. For Example:

Data:

27/07/11 18:59 209 03 0014111111190*A 00:05'36

27/07/11 19:18 209 03 00141111119906 00:18'15

27/07/11 22:14 224 03 00117111141136 00:09'01

I would like to extract the data in bold (substring 58-62)

Can this be done simple?

Thanks in advance.

Chris

talismanc · ‎07-30-2011

Hi

Thanks for the reply, i tried that and just got a syntax error.

I have now managed to solve it, i steered clear of just trying to grab the nth to nth character and created the following.

(?i)^\d+/\d+/\d+\s+\d+:\d+\s+\d+\s+\d+\s+\S+\s+(?P<Duration_Mins2>[^']+)

Because sometimes my PBX spat out text and special characters in the Phone Number field it was messing with Splunks Generate capability.

Seems rather simple when i actually stood back and looked at it!!

mw · ‎07-30-2011

Does this work for you?

\s+(?<myfield>\d+:\d+)\'\d+$

Regex: Simple Substring for Field Extraction

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...