Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex to extract quoted text aftera stats command

cindygibbs_08
Communicator
‎06-22-2021 03:30 PM

I hope everyone is having a great time today,
I am here to first thank you guys for being so helpful and assertive! you people rock! and second to ask for assistance regarding a regular expression.
I have a field that will contain a string that will start by "check-in unavailable due to external cause the ref code is ##AIUI- 989 K-IOJ##"
I want to be able to extract the string that is between the "##"  but... sometimes this field may have a string that starts by "the auth was..." I want to be able to extract any string   between two "#" whenever the value of the field starts with  "check-in unavailable due to external cause the ref code is"  

 

for example
 if I have this:

FIELDCODE
"check-in unavailable due to external cause the ref code is ##AIUI- 989 K-IOJ##AIUI- 989 K-IOJ
"the auth was denied code ## uik-55855##"N.A

 

thank you guys SO MUCH

 

Kindy,

Cindy

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-22-2021 04:12 PM 
| makeresults 
| eval _raw="check-in unavailable due to external cause the ref code is ##AIUI- 989 K-IOJ##
the auth was denied code ## uik-55855##"
| multikv noheader=t
| fields _raw
| rex "check-in unavailable due to external cause the ref code is ##(?<code>[^#]+)##"

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-22-2021 04:12 PM 
| makeresults 
| eval _raw="check-in unavailable due to external cause the ref code is ##AIUI- 989 K-IOJ##
the auth was denied code ## uik-55855##"
| multikv noheader=t
| fields _raw
| rex "check-in unavailable due to external cause the ref code is ##(?<code>[^#]+)##"
Reply
Solved! Jump to solution

cindygibbs_08
Communicator
‎06-22-2021 06:15 PM

I have a question what would the rex function will look like if instead of two "#" the coude would come inside two "*"  like this :  **UID J- DIDD**, I would just change the "#" by "*"??

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-23-2021 12:34 AM

Asterisks "*" have special meaning in regex so each would need to be escaped with a backslash "\"

| makeresults 
| eval _raw="check-in unavailable due to external cause the ref code is **AIUI- 989 K-IOJ**
the auth was denied code ** uik-55855**"
| multikv noheader=t
| fields _raw
| rex "check-in unavailable due to external cause the ref code is \*\*(?<code>[^\*]+)\*\*"

 

0 Karma
Reply
Solved! Jump to solution

cindygibbs_08
Communicator
‎06-22-2021 06:02 PM

@ITWhisperer  I am in love with you

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-23-2021 12:29 AM

Thanks Cindy ❤️😁

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...