topic Re: Going crazy with simple Regex in Splunk Search

Going crazy with simple Regex

Zakary_n — Mon, 28 Oct 2019 10:07:12 GMT

Hello,

I wasted way too much time on my not working regex :

Here's what my _raw data looks like :

< Instrument=\"Guitar\" Price=\"500\" >

I would like to add an "instrument" field on my events but my regex wont work in Splunk (And it's working in other environments!).

My regex so far :

mySearch
| rex field=_raw  "Instrument=\"(?<instrument>.*)\""
| fields instrument

I know, I've tried escaping the backquotes like this : "Instrument=\\"(?<instrument>.*)\\"" but this way I get a closing parenthesis error.

I've also tried : "Instrument=\\\"(?<instrument>.*)\\\"", but same, this will only return my raw events.

Do you guys have an idea how to achieve this and create the field "instrument=Guitar" on my events ?

Re: Going crazy with simple Regex

gcusello — Mon, 28 Oct 2019 10:58:23 GMT

Hi Zakary_n,
probably the problem is "=" that's a special char and must be escaped.
Try this

| rex "Instrument\=\\\"(?<Instrument>\w+)"

that you can test at https://regex101.com/r/LBvB3S/1

Ciao.
Giuseppe

Re: Going crazy with simple Regex

gaurav_maniar — Mon, 28 Oct 2019 11:35:52 GMT

Hi,

The actual problem was with capture group ".", it is called greedy regex.
It may be capturing the value Guitar" Price="500,as you are using "."
The following regex will work,

|makeresults | eval test="< Instrument=\"Guitar\" Price=\"500\" >" | rex field=test "Instrument=\"(?<instrument>[^\"]+)\""

Accept & up-vote the answer if it helps.
happy splunking....!!!!

Re: Going crazy with simple Regex

arjunpkishore5 — Mon, 28 Oct 2019 11:39:48 GMT

Try this

|rex field=_raw "Instrument=\"(?<instrument>[^\"]+)\""

Re: Going crazy with simple Regex

Zakary_n — Mon, 28 Oct 2019 12:11:50 GMT

This helped a lot. Thank you.

Re: Going crazy with simple Regex

Zakary_n — Mon, 28 Oct 2019 12:15:42 GMT

This was helpful in finding the answer as well. Thank you.

Re: Going crazy with simple Regex

jpolvino — Mon, 28 Oct 2019 12:24:24 GMT

This is a solid tactic: the not-match. I find this works well when you know what character does NOT belong (in this case, the double quote) and the parser will will match up to that. Simple, clean, easy to understand.

Re: Going crazy with simple Regex

tmuthuk — Mon, 28 Oct 2019 13:43:34 GMT

Try this :

|rex "Instrument=\"(?[^\"]+)\""

Re: Going crazy with simple Regex

vikcee — Tue, 29 Oct 2019 10:35:24 GMT

Hi,

You Can also try this simple one. It will also work.

|rex "(?<Instrument_Name>[\w]+)\\\"\s\w"

You can test your rex : https://regex101.com/r/WNni5C/4