How do you make a regex that skips an optional word?

moorvogi — Thu, 13 Dec 2018 17:45:03 GMT

I'm fairly new to regex. In other languages, i just string split and hack it up as needed, but i'm trying to use regex w/ Splunk. I have 3 lines of text which I'll simplify for clarity.

timestamp and Stuff stringIWantOne and optionalWord stringIWantThree extra words
timestamp and Stuff stringIWantOne and stringIWantTwo extra words
timestamp and Stuff stringIWantOne and optionalWord stringIWantThree extra words

In this example, i want to grab the actual content of "stringIWantOne" and "stringIWantThree" as well as "stringIWantTwo".

stringIWantThree and Two are only ever 2 words.

the regex string i have right now is:

Interface\ (?Psrc_interface>.*), changed state to (?:administratively) (?P<port_status>\w+)

If i take out the (?:administratively) part, i almost get the desired results (up|down), but I also get "administratively". I want them to all be only "up | down" but I don't want to exclude the records that have the word administratively in it.

Re: How do you make a regex that skips an optional word?

aholzer — Tue, 29 Sep 2020 22:28:35 GMT

This should do the trick:

Interface (?<src_interface>[^,]+), changed state to (administratively )?(?<port_status>\w+)

The '?' after the '(administratively )' capture group, basically tells the regex that the previous group/character is optional.

Used this as my sample data:

Interface 123, changed state to administratively up
Interface 234, changed state to administratively down
Interface 321, changed state to up
Interface 432, changed state to down

It catches all 4 distinct values of "src_interface" and "port_status".

I used regex101 to help double check the regex.

Hope this helps

topic How do you make a regex that skips an optional word? in Splunk Search

How do you make a regex that skips an optional word?

Re: How do you make a regex that skips an optional word?