topic Re: reverse regular expression to capture text started by end line and ending with begining of a character in Splunk Search

reverse regular expression to capture text started by end line and ending with begining of a character

royimad — Wed, 28 Aug 2013 09:10:51 GMT

Is there a reverse regular expression that start with an end line and begin with a characters
Example:
I have a regular expression that i would like to use the same concept but in reverse order.
Hereby the regular expression:

| rex field=_raw "(?ms)?<capture>Total.*)^"

I need to use the same concept but in reverse order without changing the subject , same characters *,^ If this is not possible i will learn something else but actually i prefer to do it with the same concept.

Finding the last dash in capture in reverse order and going to the second dash with the right order not the reverse.

Re: reverse regular expression to capture text started by end line and ending with begining of a character

Ayn — Wed, 28 Aug 2013 10:27:00 GMT

It's a bit confusing. What do you mean by reverse in this case? Can you give us a specific example of what you want to do, because I think you're making this sound a bit more complicated than it needs to be 🙂

Re: reverse regular expression to capture text started by end line and ending with begining of a character

royimad — Wed, 28 Aug 2013 10:28:34 GMT

I'm thinking of that:

sourcetype="imap" 
| rex field=_raw "(?ms)(?<capture>Total.*)^" 
| rex field=capture "-(?<dash>.*)" 
| rex field=dash "-(?<seconddash>.*)" 
| rex field=seconddash "-(?<thirddash>.*)"
| rex field=thirddash "-(?<fourthdash>.*)"
| rex field=fourthdash "-(?<fifthdash>.*)"
| rex field=fifthdash "-(?<sixdash>.*)"
| rex field=sixdash "-(?<sevendash>.*)"

But it appear that is a long way to finish, The reverse order will make much more sense.

Re: reverse regular expression to capture text started by end line and ending with begining of a character

Ayn — Wed, 28 Aug 2013 10:46:09 GMT

Again, show an example. Including sample event. I've no idea what the text you're trying to match something against looks like.

Re: reverse regular expression to capture text started by end line and ending with begining of a character

Ayn — Wed, 28 Aug 2013 10:46:56 GMT

Also please make sure you get formatting in code blocks correct. Code blocks should be indented by 4 spaces at the start of each line. Without that, characters like * will mess up the formatting and your regexes will not show as they should.

Re: reverse regular expression to capture text started by end line and ending with begining of a character

kristian_kolb — Wed, 28 Aug 2013 11:02:57 GMT

Hm, I guess that you want to anchor the regex to the end of a string (with a $). Something like this perhaps. Assuming that you have a field that contains;

My powerful crane stands proudly, looking out over the building site as the sun sets. I really think it is beautiful. I love cranes.

To capture the last sentence the following regex will work;

rex field=my_text "\.\s(?<last_sentence>[\w\s]+\.)$"

Now the field last_sentence has the value I love cranes.

But as Ayn says, provide some sample events, and what you want to extract.

Re: reverse regular expression to capture text started by end line and ending with begining of a character

Ayn — Wed, 28 Aug 2013 11:20:56 GMT

Upvoted for "My powerful crane stands proudly"

Re: reverse regular expression to capture text started by end line and ending with begining of a character

royimad — Wed, 28 Aug 2013 11:42:22 GMT

It is simply as that:
Start with the end of a text and go to the last characters up, can this be done?

Re: reverse regular expression to capture text started by end line and ending with begining of a character

Ayn — Wed, 28 Aug 2013 13:55:28 GMT

Fair enough, an answer with about the same detail: yes, it can be done.

Re: reverse regular expression to capture text started by end line and ending with begining of a character

rturk — Wed, 28 Aug 2013 13:58:53 GMT

Seconded - shut up and take my karma! 🙂

Re: reverse regular expression to capture text started by end line and ending with begining of a character

Rob — Wed, 28 Aug 2013 18:18:18 GMT

+1 for the crane