https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/523653#M147705 <P>Thank you for your quick response. Is it possible to expand that regex so that it picks up string without 'reg' following the '_' or '.'?</P><P>For example:&nbsp;</P><P>So it would pick up:</P><P><SPAN>_20201007103200_20201007</SPAN><SPAN>.</SPAN><SPAN>zip</SPAN></P><P>but would not pick up:</P><P><SPAN class="t">_20201007144100_20200416_reg</SPAN><SPAN>.</SPAN><SPAN class="t">zip</SPAN></P> Thu, 08 Oct 2020 10:55:53 GMT jboustead 2020-10-08T10:55:53Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/523641#M147699 <P>I am currently trying to use a regex to pick out the events with the date '2020XXXX' - I want the regex to search pick up any event date providing it does not have 'reg' following the '.' or '_' (pick out all the event dates below, except the first). How do I do this?&nbsp;</P><P>Current regex: 2020\d{4}[\.\_]</P><P>List of different events\logs from the splunk search:</P><P><SPAN class="t">_20201007144100_20200416_reg</SPAN><SPAN>.</SPAN><SPAN class="t">zip</SPAN></P><P><SPAN class="t">_20201007103200_20201007<SPAN>.</SPAN>zip</SPAN></P><P><SPAN class="t">_20201007095000_20201007</SPAN><SPAN>.</SPAN><SPAN class="t">zip</SPAN></P><P><SPAN class="t">_20201007092933_20201007<SPAN>.</SPAN>zip</SPAN></P><P><SPAN class="t">_20201007061717_20201007_txn<SPAN>.</SPAN>zip</SPAN></P><P><SPAN class="t">_20201007041719_20201007<SPAN>.</SPAN>zip</SPAN></P> Thu, 08 Oct 2020 10:21:08 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/523641#M147699 jboustead 2020-10-08T10:21:08Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/523652#M147704 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/227186">@jboustead</a>,</P><P>try this regex</P><LI-CODE lang="markup">your_search | regex "_2020\d{4}_|\." | ...</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/g82uft/1" target="_blank">https://regex101.com/r/g82uft/1</A></P><P>Ciao.</P><P>Giuseppe</P> Thu, 08 Oct 2020 10:48:31 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/523652#M147704 gcusello 2020-10-08T10:48:31Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/523653#M147705 <P>Thank you for your quick response. Is it possible to expand that regex so that it picks up string without 'reg' following the '_' or '.'?</P><P>For example:&nbsp;</P><P>So it would pick up:</P><P><SPAN>_20201007103200_20201007</SPAN><SPAN>.</SPAN><SPAN>zip</SPAN></P><P>but would not pick up:</P><P><SPAN class="t">_20201007144100_20200416_reg</SPAN><SPAN>.</SPAN><SPAN class="t">zip</SPAN></P> Thu, 08 Oct 2020 10:55:53 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/523653#M147705 jboustead 2020-10-08T10:55:53Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/523655#M147706 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/227186">@jboustead</a>,</P><P>let me understand: do you want "<SPAN>_20201007103200_20201007</SPAN><SPAN>.</SPAN><SPAN>zip" and you want to exclude "<SPAN class="t">_20201007144100_20200416_reg</SPAN>.<SPAN class="t">zip", is it correct?</SPAN></SPAN></P><P><SPAN><SPAN class="t">If this is your need, try this:</SPAN></SPAN></P><LI-CODE lang="markup">your_search | regex "_2020\d{4}\.zip" | ...</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/g82uft/2" target="_blank">https://regex101.com/r/g82uft/2</A></P><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 08 Oct 2020 11:00:03 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/523655#M147706 gcusello 2020-10-08T11:00:03Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/523659#M147709 <P>That is correct, however - I am also wanting to include other strings such as:&nbsp;</P><P><SPAN class="t">_20201007061717_20201007_txn<SPAN>.</SPAN>zip</SPAN></P><P><SPAN class="t">_20201007092933_20201007_stl<SPAN>.</SPAN>zip</SPAN></P><P>Basically to include any string that does not contain _reg after the date...</P> Thu, 08 Oct 2020 11:04:54 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/523659#M147709 jboustead 2020-10-08T11:04:54Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/523844#M147789 <P>^_2\d*_(2)(\d*)([_\.])(?!req).*zip$<BR /><BR />Works for all dates before year 3000</P> Fri, 09 Oct 2020 05:31:12 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/523844#M147789 FritzWittwer 2020-10-09T05:31:12Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/523851#M147793 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/227186">@jboustead</a>,</P><P>please try (like the one hinted by&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222118">@FritzWittwer</a>) someting like this:</P><P>&nbsp;</P><LI-CODE lang="markup">your_search | regex "_2020\d{4}([^\.]*)(?|reg)\.zip" | ...</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Fri, 09 Oct 2020 06:17:23 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/523851#M147793 gcusello 2020-10-09T06:17:23Z