topic Re: Regex for ending with a particular pattern in Splunk Search

Regex for ending with a particular pattern

xvxt006 — Sat, 07 Sep 2013 22:38:25 GMT

Hi,

I am want to get all the events ending with a referrer url of the below format.

http://www.company.com/product/Glasses-PR37323 
http://www.company.com/search?keyword=PR12389

So i tried:

| regex Referrer=*PR\d{5}$

But did not work. Any suggestions please?

Re: Regex for ending with a particular pattern

rturk — Sun, 08 Sep 2013 01:55:08 GMT

Hi xvxt006,

Are you tring to do this via the search interface? If so, your syntax is incorrect. Try this:

<search> | rex "PR(?<referrer>\d+)"

This assumes that:

You do not have multilines event
The referrer is always preceded with PR
The referrer ID is always numerical.

The regex command is used to remove or keep results that match the regular expression (i.e. not for field extraction).

References:

rex (Splunk docs): http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex
regex (Splunk docs): http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Regex

Hope this helps!

If this answers your question don't forget to upvote and mark as answered so other people with the same issue can be helped as well 🙂

Re: Regex for ending with a particular pattern

rsennett_splunk — Sun, 08 Sep 2013 02:01:53 GMT

You've got a couple of syntax errors there. You need double quotes around the regular expression, and your regular expression has a couple of problems. (also, that is an oddly non-traditional spelling for the fieldname, (although a proper spelling of the word) so I would check on that to be sure...

What you want is this:

| regex Referrer = "PR\d{5}$"

the regex command is a kind of a match for "keepit" or "don't keep it" so you don't have to try to accommodate the rest of the string. If it finds that pattern, in the field you specify, it will keep or not keep depending upon your operator.

In this case, the asterisk isn't doing anything.

In regular expressions it isn't really a "wildcard" character. It matches 0 or more of the preceding token. so 87* will match 877 but luckily in this case you don't have to worry about that.

Now, without the asterisk, your regular expression is only looking for this: PRddddd. You need to escape the d so that it means digit and it will repeat only that character.

I think you'll be in business now.

I highly recommend this website for testing out your regular expressions.
Super helpful:

http://gskinner.com/RegExr/

Re: Regex for ending with a particular pattern

rsennett_splunk — Sun, 08 Sep 2013 02:10:13 GMT

I don't think the question was about field extraction... but I guess we'll see. 🙂

Re: Regex for ending with a particular pattern

rturk — Sun, 08 Sep 2013 02:12:42 GMT

Ahhh you might be correct 🙂

Re: Regex for ending with a particular pattern

xvxt006 — Mon, 09 Sep 2013 13:04:48 GMT

Thank you for the detailed explanation. I will try this and let you know.

Re: Regex for ending with a particular pattern

xvxt006 — Mon, 09 Sep 2013 13:06:14 GMT

Yes it is not about filed extraction.. Thank you both for your inputs. Yes i will mark it once i test it.

Re: Regex for ending with a particular pattern

xvxt006 — Mon, 28 Sep 2020 14:44:28 GMT

I have asked this in a separate thread too. But just want to check with you guys to see if you can help me with this one too as it is similar.

I am planning to capture all the URIs with word chaser (case insensitive).

I have used this
| regex uri="(?i)Chaser(?:[^\"])"

but did not get any results. do i need to include anything in the regex?
Thanks for your help.

Below are few examples.

1) /gdfgfd/N-/Ntt-MILWAUKEEFUEL?pm_sp=CS_Chaser--PO_L3_Multi--werwerdfg

2)/CHASER-STAKES-rOutdoor-brother-Retractable-6trJ3?we_sp=IO--PDI--RR_VTV70300505&cm_vc=WSPRRZ1