Regular Expression works for all but 1.00 in Splunk rex

Question

I am use a rex in splunk to extract the decimal amount from a field that contains the amount plus the 3-digit currency code. Both values are separated by a space.

Examples:

200.00 INR
2390.11 INR
1.00 INR
1789.00 INR

I am using the rex command inline:

rex field=TxnAmt "(?<TxnAmt>[^\s]\d+.\d+)

Using this command is mostly successful, but where my error comes into play is with the 1.00 INR.

Results:

200.00
2390.11
1.00 INR
1789.00

Any ideas would be helpful. Full Disclaimer: I am not a full programmer, nor do I aspire to be, but I do enjoy writing Regexs on Splunk.

Answer 1

There are a few problems with your current regex, try changing [^\s]\d+.\d+ to the following:

\d+\.\d+

Your current regex does not escape the ., so the . in your regex will actually match any character. I'm not really sure what you are trying to do with [^\s], since this will match a single non-whitespace character, and it looks like you are only interested in the digits.

Your current regex fails on "1.00 INR" because the 1 is matched by [^\s], and then your regex looks for one or more digits but the next character is a ..

Answer 2

Well I don't know about rex, but if it's just a plain ole regex you need, this would work:

\d+\.\d+(?= [a-zA-Z]{3})

1 or more digits, followed by a decimal, followed by 1 or more digits, and making sure it has a space and 3 letters following it.