https://community.splunk.com/t5/Splunk-Search/Regex-Conditional-Group-Capture-with-Name/m-p/48204#M11511 <P>Use <CODE>coalesce</CODE> like this:</P> <PRE><CODE>... (?'SW_Date'd{14})|(?'SW_ClaimTrackNum'd+)|(?&gt;(?'temp_NewBinNumber'[0-9]{6})||)(?&gt;([A-z: ]+(?'SW_RespTime'[0-9.]+))|([A-z: ]+))|(?&gt;(?'temp_OldBinNumber'[0-9]{6})(?'temp_RecvdClaimType'[0-9A-z]{4})|(?'temp_SentClaimType'[0-9A-z]{4})) | eval SW_BinNumber=coalesce(temp_NewBinNumber, temp_OldBinNumber) |eval SW_ClaimType=coalesce(temp_RecvdClaimType, temp_SentClaimType) | fields - temp* </CODE></PRE> Sat, 30 May 2015 14:52:56 GMT woodcock 2015-05-30T14:52:56Z https://community.splunk.com/t5/Splunk-Search/Regex-Conditional-Group-Capture-with-Name/m-p/48203#M11510 <P>I'm trying to build 1 regex to capture multiple sets of data. Below is a sample:</P> <PRE><CODE>1. 20110221124637|21410|SENT:0.646861|51B11A011801830658 2. 20110221124854|21411|RECVD|00345251B1 3. 20110221124854|362|003452|SENT: 3.198847|51B11A011801830658 4. 20110221124854|362|003452|RECVD|00345251B1 5. 20110221160534|431|011867|RECVD|01186751B1 6. 20110221160534|431|011867|SENT: 0.278782|51B11A011801830658 </CODE></PRE> <P>Basically these lines are from different versions of a piece of software, but all contain the same information in different places. These are the fields I'd like to extract: Date, BinNumber, ClaimTrackNum, Direction, RespTime and ClaimType.</P> <P>Here is the date:</P> <PRE><CODE>1. 20110221124637 |21410|SENT:0.646861|51B11A011801830658 2. 20110221124854 |21411|RECVD|00345251B1 3. 20110221124854 |362|003452|SENT: 3.198847|51B11A011801830658 4. 20110221124854 |362|003452|RECVD|00345251B1 5. 20110221160534 |431|011867|RECVD|01186751B1 6. 20110221160534 |431|011867|SENT: 0.278782|51B11A011801830658 </CODE></PRE> <P>ClaimTrackNum:</P> <PRE><CODE>1. 20110221124637 |21410| SENT:0.646861|51B11A011801830658 2. 20110221124854 |21411| RECVD|00345251B1 3. 20110221124854 |362| 003452|SENT: 3.198847|51B11A011801830658 4. 20110221124854 |362| 003452|RECVD|00345251B1 5. 20110221160534 |431| 011867|RECVD|01186751B1 6. 20110221160534 |431| 011867|SENT: 0.278782|51B11A011801830658 </CODE></PRE> <P>BinNumber (May exist or not, or be in 2 spots):</P> <PRE><CODE>1. 20110221124637|21410|SENT:0.646861|51B11A011801830658 2. 20110221124854|21411|RECVD| 003452 51B1 3. 20110221124854|362| 003452 |SENT: 3.198847|51B11A011801830658 4. 20110221124854|362| 003452 |RECVD| 003452 51B1 5. 20110221160534|431| 011867 |RECVD| 011867 51B1 6. 20110221160534|431| 011867 |SENT: 0.278782|51B11A011801830658 </CODE></PRE> <P>RespTime (Only exists after a "SENT:" (old style) or "SENT: " (new)): </P> <PRE><CODE>1. 20110221124637|21410|SENT: 0.646861 |51B11A011801830658 2. 20110221124854|21411|RECVD|00345251B1 3. 20110221124854|362|003452|SENT: 3.198847 |51B11A011801830658 4. 20110221124854|362|003452|RECVD|00345251B1 5. 20110221160534|431|011867|RECVD|01186751B1 6. 20110221160534|431|011867|SENT: 0.278782 |51B11A011801830658 </CODE></PRE> <P>ClaimType:</P> <PRE><CODE>1. 20110221124637|21410|SENT:0.646861| 51B1 1A011801830658 2. 20110221124854|21411|RECVD|003452 51B1 3. 20110221124854|362|003452|SENT: 3.198847| 51B1 1A011801830658 4. 20110221124854|362|003452|RECVD|003452 51B1 5. 20110221160534|431|011867|RECVD|011867 51B1 6. 20110221160534|431|011867|SENT: 0.278782| 51B1 1A011801830658 </CODE></PRE> <P>And lastly the direction is either the word "SENT" or "RECVD"</P> <P>I've come up with this regex, which fully matches everything:</P> <PRE><CODE>(?'SW_Date'\d{14})\|(?'SW_ClaimTrackNum'\d+)\|(?&gt;(?'SW_BinNumber'[0-9]{6})\||)(?&gt;([A-z: ]+(?'SW_RespTime'[0-9.]+))|([A-z: ]+))\|(?&gt;(?'SW_BinNumber'[0-9]{6})(?'SW_ClaimType'[0-9A-z]{4})|(?'SW_ClaimType'[0-9A-z]{4})) </CODE></PRE> <P>Which splunk doesn't like... If I simply rename any duplicate field to different names, splunk doesn't have an issue.</P> <PRE><CODE>(?'SW_Date'\d{14})\|(?'SW_ClaimTrackNum'\d+)\|(?&gt;(?'SW_NewBinNumber'[0-9]{6})\||)(?&gt;([A-z: ]+(?'SW_RespTime'[0-9.]+))|([A-z: ]+))\|(?&gt;(?'SW_OldBinNumber'[0-9]{6})(?'SW_RecvdClaimType'[0-9A-z]{4})|(?'SW_SentClaimType'[0-9A-z]{4})) </CODE></PRE> <P>but naturally splunk now thinks that "newbinnumber" and "oldbinnumber" are different fields when they are the exact same.</P> <P>How can I write this regex to always extract those fields as "BinNumber" and "ClaimType"?</P> Tue, 22 Feb 2011 08:03:21 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Conditional-Group-Capture-with-Name/m-p/48203#M11510 healthtrans 2011-02-22T08:03:21Z https://community.splunk.com/t5/Splunk-Search/Regex-Conditional-Group-Capture-with-Name/m-p/48204#M11511 <P>Use <CODE>coalesce</CODE> like this:</P> <PRE><CODE>... (?'SW_Date'd{14})|(?'SW_ClaimTrackNum'd+)|(?&gt;(?'temp_NewBinNumber'[0-9]{6})||)(?&gt;([A-z: ]+(?'SW_RespTime'[0-9.]+))|([A-z: ]+))|(?&gt;(?'temp_OldBinNumber'[0-9]{6})(?'temp_RecvdClaimType'[0-9A-z]{4})|(?'temp_SentClaimType'[0-9A-z]{4})) | eval SW_BinNumber=coalesce(temp_NewBinNumber, temp_OldBinNumber) |eval SW_ClaimType=coalesce(temp_RecvdClaimType, temp_SentClaimType) | fields - temp* </CODE></PRE> Sat, 30 May 2015 14:52:56 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Conditional-Group-Capture-with-Name/m-p/48204#M11511 woodcock 2015-05-30T14:52:56Z