topic Re: How to regex the field? in Splunk Search

How to regex the field?

karthi2809 — Tue, 29 Sep 2020 23:46:17 GMT

How to regex the field?

refId=Id-214f1652024d824e1f4cef63be666139\x00

What i used:
rex field=_raw "refId=Id-(?\w*-?\w*)

Expected : 214f1652024d824e1f4cef63be666139

Re: How to regex the field?

niketn — Wed, 20 Mar 2019 06:07:57 GMT

@karthi2809 please try the following

| rex "refId=Id-(?<refID>[^\\\]+)"

Following is a sample run anywhere search to test the same in Splunk

| makeresults
| eval _raw="refId=Id-214f1652024d824e1f4cef63be666139\x00"
| rex "refId=Id-(?<refID>[^\\\]+)"

Re: How to regex the field?

vnravikumar — Wed, 20 Mar 2019 06:10:50 GMT

Try this

| makeresults 
| eval msg="refId=Id-214f1652024d824e1f4cef63be666139\x00" 
| rex field=msg "-(?P<output>.+)\\\\"

Re: How to regex the field?

vinod94 — Wed, 20 Mar 2019 09:13:32 GMT

You can try this,

|makeresults 
|eval data="Id-214f1652024d824e1f4cef63be666139\x00"
| rex field=data "Id\-(?P<field_name>.*)\\\\"

Re: How to regex the field?

nickhills — Wed, 20 Mar 2019 10:41:35 GMT

This is the best answer from an efficiency point of view - 13 Steps (but watch how many \\ you use)
https://regex101.com/r/IXnuzE/1

The other examples, whilst working both involve > 75 steps.

Re: How to regex the field?

vnravikumar — Wed, 20 Mar 2019 11:02:36 GMT

 | rex field=msg "\-(?P<output>[^\\\]+)" with 6 Steps

Re: How to regex the field?

nickhills — Wed, 20 Mar 2019 11:59:43 GMT

Ha, that's cheating, you changed It! 😄

But yes, that's fewer steps, although the step count is only reduced because there are fewer characters to process.

The trade-off is that since you are being less specific with the preceding character match, the chances of a false positive are higher. Not an issue given the very limited example in the post, but matching preceding strings does not add any real penalty, and gives you the confidence of reducing FPs.
Join the regex channel on Splunk Slack if you fancy getting down in the weeds on regex performance!
There is even a weekly competition!

Re: How to regex the field?

vnravikumar — Wed, 20 Mar 2019 12:04:26 GMT

🙂 I accept you.

Re: How to regex the field?

vnravikumar — Wed, 20 Mar 2019 12:15:29 GMT

@nickhillscpl, thanks I had joined.