topic Re: How to use wildcard inside string regex? in Splunk Search

How to use wildcard inside string regex?

limalbert — Tue, 29 Sep 2020 16:34:54 GMT

The log contains string in this format below.

name:X_device:Y_
name-U:X1_Y2_

It has a mixed pattern, and I'm wondering how to use wildcard if I do the regex for name and device in a string (inside double quotations) like below?

rex "name *wildcard* (?<name>\w*)_"
rex "device *wildcard* (?<device>\w*)_"

Re: How to use wildcard inside string regex?

somesoni2 — Mon, 06 Nov 2017 21:40:35 GMT

Hey @limalbert, Please format any search/code/data sample that you post using code button (button with '101010' above the editor) or by pressing Ctrl+K.

In the 2nd example, there is no keyword for device, is that correct or typo? Are you looking for wildcarding the one which I highlighed here: name**:**X and name**-U:**X1 ??

Re: How to use wildcard inside string regex?

limalbert — Mon, 06 Nov 2017 21:53:44 GMT

Hi @somesoni,

I edited the question.

For the second example for device, there is no keyword, and that's why it's a little bit difficult. I found another alternate to wildcard by using this (?:[^/]+)?. I successfully use this to get name field, but I'm still working on the device since it doesn't have keyword.

rex "name(?:[^/]+)?:(?<name>\w*)_"

Re: How to use wildcard inside string regex?

somesoni2 — Mon, 06 Nov 2017 21:57:01 GMT

Give this a try (single rex to extract both)

rex "name[^\:]+\:(?<name>\w+)_(device\:)*(?<device>\w+)"

Re: How to use wildcard inside string regex?

yuanliu — Mon, 06 Nov 2017 22:07:10 GMT

The concept of "wildcard" is more refined in regex so you just have to use the regex format. If you expect 0 or more repetitions of any character, for example, you would use .* instead if just *.

In regex, * means 0 or more repetition of any character preceding it; in one of your examples, name *wildcard*, the first "*" represents 0 or more white spaces, whereas the second "*" represents 0 or more letter "d". If you want your "wildcard" to represent any character in any repetition, you precede "*" with special character ".", which in regex can represent any singe character.

Re: How to use wildcard inside string regex?

limalbert — Mon, 06 Nov 2017 22:17:19 GMT

Can you help me understand what you did after name? Specifically this one, [^:]+.
Also, it works to get only the first device, so the only output is device:Y.

Re: How to use wildcard inside string regex?

limalbert — Mon, 06 Nov 2017 22:22:50 GMT

Sorry, the output for device is actually only "Y". It only give the one with keyword, but it doesn't give the one without keyword.

Re: How to use wildcard inside string regex?

somesoni2 — Mon, 06 Nov 2017 23:28:20 GMT

This should do it. (runanywhere sample search. Replace everything before rex with your search)

| gentimes start=-1 | eval raw="name:X_device:Y_#name-U:X1_Y2_" | table raw | makemv raw delim="#" | mvexpand raw | rename raw as _raw 
|rex "name[^:]*:(?<name>[^_]+)_(device:)*(?<device>[^_]+)"

Re: How to use wildcard inside string regex?

limalbert — Tue, 07 Nov 2017 02:15:34 GMT

Thank you! This works!