https://community.splunk.com/t5/Splunk-Search/Regular-expression-with-lookup/m-p/422951#M121419 <BLOCKQUOTE> <P>Blockquote</P> </BLOCKQUOTE> <P>I have to build a table that lists all the service names that are in particular format for e.g "ABC-*.-&lt;&gt;", Is this possible??</P> <P>I actually tried by building a regular expression like this index=my_index sourcetype=my_source | regex name = "^ABC-.*-(Name1|Name2|Name3|Name4|....Name600) but I am getting "Regex: regular expression too large error" Any other way of solving this??</P> <BLOCKQUOTE> <P>Blockquote</P> </BLOCKQUOTE> Tue, 29 Sep 2020 19:43:10 GMT stang1234 2020-09-29T19:43:10Z https://community.splunk.com/t5/Splunk-Search/Regular-expression-with-lookup/m-p/422951#M121419 <BLOCKQUOTE> <P>Blockquote</P> </BLOCKQUOTE> <P>I have to build a table that lists all the service names that are in particular format for e.g "ABC-*.-&lt;&gt;", Is this possible??</P> <P>I actually tried by building a regular expression like this index=my_index sourcetype=my_source | regex name = "^ABC-.*-(Name1|Name2|Name3|Name4|....Name600) but I am getting "Regex: regular expression too large error" Any other way of solving this??</P> <BLOCKQUOTE> <P>Blockquote</P> </BLOCKQUOTE> Tue, 29 Sep 2020 19:43:10 GMT https://community.splunk.com/t5/Splunk-Search/Regular-expression-with-lookup/m-p/422951#M121419 stang1234 2020-09-29T19:43:10Z https://community.splunk.com/t5/Splunk-Search/Regular-expression-with-lookup/m-p/422952#M121420 <P>Can you please show some example data?</P> Tue, 29 May 2018 19:42:38 GMT https://community.splunk.com/t5/Splunk-Search/Regular-expression-with-lookup/m-p/422952#M121420 xpac 2018-05-29T19:42:38Z https://community.splunk.com/t5/Splunk-Search/Regular-expression-with-lookup/m-p/422953#M121421 <P>Is there a pattern to the service name endings or are they 600 random strings?<BR /> Regex is better suited to validating data <EM>format</EM> than <EM>content</EM>. IOW, use <CODE>rex</CODE> to determine if a string is a potential service name and extract the "Name*" part. Then use a lookup to validate the Name against a list of known names.</P> Tue, 29 May 2018 21:31:26 GMT https://community.splunk.com/t5/Splunk-Search/Regular-expression-with-lookup/m-p/422953#M121421 richgalloway 2018-05-29T21:31:26Z https://community.splunk.com/t5/Splunk-Search/Regular-expression-with-lookup/m-p/422954#M121422 <P>All 600 start with a prefix like “ENV” and rest are random. I did create a lookup with these 600.</P> Wed, 30 May 2018 11:50:19 GMT https://community.splunk.com/t5/Splunk-Search/Regular-expression-with-lookup/m-p/422954#M121422 stang1234 2018-05-30T11:50:19Z https://community.splunk.com/t5/Splunk-Search/Regular-expression-with-lookup/m-p/422955#M121423 <P>Try something like this.</P> <PRE><CODE>index=my_index sourcetype=my_source name = "ABC*" | rex field=name "^ABC-.*-(?&lt;subname&gt;.*)" | lookup names.csv name-field-in-lookup-file as subname | ... </CODE></PRE> Wed, 30 May 2018 16:00:13 GMT https://community.splunk.com/t5/Splunk-Search/Regular-expression-with-lookup/m-p/422955#M121423 richgalloway 2018-05-30T16:00:13Z https://community.splunk.com/t5/Splunk-Search/Regular-expression-with-lookup/m-p/422956#M121424 <P>Fantastic, that worked!! This is exactly what I was looking for. </P> Wed, 30 May 2018 18:38:45 GMT https://community.splunk.com/t5/Splunk-Search/Regular-expression-with-lookup/m-p/422956#M121424 stang1234 2018-05-30T18:38:45Z