Solved: RegEx Help - how to extract the numbers from strin...

madhav_dholakia · ‎06-20-2023

Hi,

For given sample data set, how can I extract all the numbers (will be always 3 digits) from desc?

| makeresults
| eval desc="Frankfurt (123) & Saarbrucken (456), Germany - Primary down / Secondary down"
| append
[| makeresults 
| eval desc="Frankfurt (123), Saarbrucken (456), Frankfurt Zeil (789) & Kaiserslautern (012), Germany - Primary up / Secondary up"]
| append
[| makeresults 
| eval desc="Test - Creteil - (123) - France - Primary Up // Secondary Up"]
| append
[| makeresults 
| eval desc="All devices at 456 London, England are alerting as down and unreachable"]
| append
[| makeresults 
| eval desc="Test - 123-Clonmel ( Ireland) - Primary DOWN / Secondary UP/ Switch UP"]

output required:

can you please suggest regex I can use for the same?

Thank you.

kamlesh_vaghela · ‎06-20-2023

@madhav_dholakia

Can you please try the below search?

YOUR_SEARCH
    | rex field=desc "(?<loc>\d+)" max_match=0
    | eval loc = mvjoin(loc,",")

My Sample Search :

| makeresults 
| eval desc="Frankfurt (123) & Saarbrucken (456), Germany - Primary down / Secondary down" 
| append 
    [| makeresults 
    | eval desc="Frankfurt (123), Saarbrucken (456), Frankfurt Zeil (789) & Kaiserslautern (012), Germany - Primary up / Secondary up"] 
| append 
    [| makeresults 
    | eval desc="Test - Creteil - (123) - France - Primary Up // Secondary Up"] 
| append 
    [| makeresults 
    | eval desc="All devices at 456 London, England are alerting as down and unreachable"] 
| append 
    [| makeresults 
    | eval desc="Test - 123-Clonmel ( Ireland) - Primary DOWN / Secondary UP/ Switch UP"]
    | rex field=desc "(?<loc>\d+)" max_match=0
    | eval loc = mvjoin(loc,",")
|table loc

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

madhav_dholakia · ‎06-21-2023

thanks @kamlesh_vaghela and @ITWhisperer for prompt response. worked like a charm.

ITWhisperer · ‎06-20-2023

| makeresults
| eval desc="Frankfurt (123) & Saarbrucken (456), Germany - Primary down / Secondary down"
| append
[| makeresults 
| eval desc="Frankfurt (123), Saarbrucken (456), Frankfurt Zeil (789) & Kaiserslautern (012), Germany - Primary up / Secondary up"]
| append
[| makeresults 
| eval desc="Test - Creteil - (123) - France - Primary Up // Secondary Up"]
| append
[| makeresults 
| eval desc="All devices at 456 London, England are alerting as down and unreachable"]
| append
[| makeresults 
| eval desc="Test - 123-Clonmel ( Ireland) - Primary DOWN / Secondary UP/ Switch UP"]
| rex max_match=0 field=desc "(?<loc>\d{3})"
| eval loc=mvjoin(loc,",")

kamlesh_vaghela · ‎06-20-2023

@madhav_dholakia

Can you please try the below search?

YOUR_SEARCH
    | rex field=desc "(?<loc>\d+)" max_match=0
    | eval loc = mvjoin(loc,",")

My Sample Search :

| makeresults 
| eval desc="Frankfurt (123) & Saarbrucken (456), Germany - Primary down / Secondary down" 
| append 
    [| makeresults 
    | eval desc="Frankfurt (123), Saarbrucken (456), Frankfurt Zeil (789) & Kaiserslautern (012), Germany - Primary up / Secondary up"] 
| append 
    [| makeresults 
    | eval desc="Test - Creteil - (123) - France - Primary Up // Secondary Up"] 
| append 
    [| makeresults 
    | eval desc="All devices at 456 London, England are alerting as down and unreachable"] 
| append 
    [| makeresults 
    | eval desc="Test - 123-Clonmel ( Ireland) - Primary DOWN / Secondary UP/ Switch UP"]
    | rex field=desc "(?<loc>\d+)" max_match=0
    | eval loc = mvjoin(loc,",")
|table loc

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

RegEx Help - how to extract the numbers from string?

other

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud