topic wether or is possible inside a regex in Splunk Search

wether or is possible inside a regex

john — Wed, 09 May 2012 10:01:33 GMT

hi,

A1.abc-ab.1000.11111
A1.ab.1000.11111

This is the format of data what iam trying to extract using regex.Since both the datas are values of same instance i want to exctract these both values using 1 regex so as to compare it with other values

... | rex field=_raw "(?<value>(\w\d\.\w+\-\w+\.\d{4}\-\d{8})|(\w\d\.\w+\.\d{4}\.d{7}))"| table value

this is what i have tried but it is fetching only the data matching with the first bracket ie A1.abc-ab.1000.11111 .Please help

Re: wether or is possible inside a regex

kristian_kolb — Wed, 09 May 2012 10:36:26 GMT

There are a couple of errors in your regex, and you're probably making it too complicated. \w also matches digits, and you're missing the backslash for the last \d. Using character classes ([]) simplifies a lot.

rex field=_raw "\s(?<value>[\w]+\.[\w-]+\.\d+\.\d+)\s"

should do it. Note that this may also capture other stuff in your log. Please post some a couple of log events to get better answers.

Hope this helps,

Kristian

Re: wether or is possible inside a regex

kristian_kolb — Wed, 09 May 2012 10:43:38 GMT

updated. /k