topic Re: Can you help me understand the syntax of this rex feld and where such commands are used? in Splunk Search

Can you help me understand the syntax of this rex feld and where such commands are used?

maheshsat — Tue, 02 Jan 2018 03:03:48 GMT

rex field=GB"(?[^]+)"

Hi Team, can any help me to understand each syntax in above command and also would like to know where such commands are used

Re: Can you help me understand the syntax of this rex feld and where such commands are used?

martin_mueller — Tue, 02 Jan 2018 09:56:21 GMT

Make sure you have the correct SPL string, and use the code sample button in the editor to post it here to include all special chars.

As it's readable in your current question there are several syntax issues.

Re: Can you help me understand the syntax of this rex feld and where such commands are used?

mayurr98 — Tue, 02 Jan 2018 10:10:49 GMT

please use 101010 and type your rex query there.

Re: Can you help me understand the syntax of this rex feld and where such commands are used?

maheshsat — Tue, 02 Jan 2018 10:54:38 GMT

rex field=GB"(?<gb>[^]+)"

Re: Can you help me understand the syntax of this rex feld and where such commands are used?

martin_mueller — Tue, 02 Jan 2018 11:06:17 GMT

rex: the command for inline field extractions, see http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/rex
field=GB: use that field to extract from
(): regex capturing group
?<gb>: name the group gb, resulting in a field called gb
[]: regex character class
^: negates whatever is after the ^ in the character class, this is missing in your example. If it were [^a], this would match every character except an a
+: one or more matches

Re: Can you help me understand the syntax of this rex feld and where such commands are used?

nikita_p — Tue, 02 Jan 2018 12:02:02 GMT

Hi @maheshsat,
you can check below splunk docs to understand regular expressions syntax.
https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/AboutSplunkregularexpressions

Re: Can you help me understand the syntax of this rex feld and where such commands are used?

mayurr98 — Tue, 02 Jan 2018 12:25:39 GMT

Term    Description Example Explanation
*   Match zero or more times.   \w* Matches zero or more word characters.
+   Match one or more times.    \d+ Match at least one digit.
 ?  Match zero or one time. \d\d\d-?\d\d-?\d\d\d\d  Matches a Social Security Number with or without dashes.
( ) Parentheses define match or capture groups, atomic groups, and lookarounds. (H..).(o..) When given the string Hello World, this matches Hel and o W.
[ ] Square brackets define character classes.   [a-z0-9#]   Matches any character that is a through z, 0 through 9, or #.
{ } Curly brackets define repetitions.  \d{3,5} Matches a string of 3 to 5 digits in length.
< > Angle brackets define named capture groups. Use the syntax (?P<var> ...) to set up a named field extraction.    (?P<ssn>\d\d\d-\d\d-\d\d\d\d)   Pulls out a Social Security Number and assigns it to the ssn field.
[[ ]]   Double brackets define Splunk-specific modular regular expressions. [[octet]]   A validated 0-255 range integer.

Also refer this link where you can learn and write regex for specific events
https://regex101.com/

Let me know if this helps you!

Re: Can you help me understand the syntax of this rex feld and where such commands are used?

maheshsat — Tue, 02 Jan 2018 14:17:18 GMT

Thank everyone for helping me

Re: Can you help me understand the syntax of this rex feld and where such commands are used?

richgalloway — Tue, 02 Jan 2018 14:39:26 GMT

@maheshsat, if your problem is resolved, please accept an answer to help future readers.