https://community.splunk.com/t5/Splunk-Search/Positive-lookahead-in-rex-to-extract-ABC-BCD-amp-CDE-from-ABCDE/m-p/525313#M148224 <P>Hi, folks.<BR /><BR />I am stumped on this matter. My goal is extracting ABC, BCE, &amp; CDE from ABCDE into a multivalue field.</P><P>So far, I have played around with regex101.com and got these 2 regex:</P><UL><LI><STRONG>(?&lt;field_1&gt;(?=(\w{3})))</STRONG></LI><LI><STRONG>(?&lt;field_2&gt;(?&lt;=(\w{3})))</STRONG></LI></UL><P>Both seem to work on regex101.com</P><P>But the thing is, I always get empty results in Splunk. I was using this command</P><P><STRONG>| makeresults | eval sample="ABCDE" | rex field=sample max_match=0 "(?&lt;field_1&gt;(?=(\w{3})))"</STRONG></P><P>I understand that I was using positive lookahead and positive lookbehind. I opt to use one of them, since I'm not aware of how many characters the original field would have. So, either lookahead or lookbehind seems to be the appropriate method to do.</P><P>Are these two methods available in Splunk? Or am I doing this in a wrong way?</P><P>Please advise.<BR />Thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 19 Oct 2020 11:11:18 GMT Amusthofa 2020-10-19T11:11:18Z https://community.splunk.com/t5/Splunk-Search/Positive-lookahead-in-rex-to-extract-ABC-BCD-amp-CDE-from-ABCDE/m-p/525313#M148224 <P>Hi, folks.<BR /><BR />I am stumped on this matter. My goal is extracting ABC, BCE, &amp; CDE from ABCDE into a multivalue field.</P><P>So far, I have played around with regex101.com and got these 2 regex:</P><UL><LI><STRONG>(?&lt;field_1&gt;(?=(\w{3})))</STRONG></LI><LI><STRONG>(?&lt;field_2&gt;(?&lt;=(\w{3})))</STRONG></LI></UL><P>Both seem to work on regex101.com</P><P>But the thing is, I always get empty results in Splunk. I was using this command</P><P><STRONG>| makeresults | eval sample="ABCDE" | rex field=sample max_match=0 "(?&lt;field_1&gt;(?=(\w{3})))"</STRONG></P><P>I understand that I was using positive lookahead and positive lookbehind. I opt to use one of them, since I'm not aware of how many characters the original field would have. So, either lookahead or lookbehind seems to be the appropriate method to do.</P><P>Are these two methods available in Splunk? Or am I doing this in a wrong way?</P><P>Please advise.<BR />Thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 19 Oct 2020 11:11:18 GMT https://community.splunk.com/t5/Splunk-Search/Positive-lookahead-in-rex-to-extract-ABC-BCD-amp-CDE-from-ABCDE/m-p/525313#M148224 Amusthofa 2020-10-19T11:11:18Z https://community.splunk.com/t5/Splunk-Search/Positive-lookahead-in-rex-to-extract-ABC-BCD-amp-CDE-from-ABCDE/m-p/525340#M148231 <P>seems positive lookahead and look behind is not working in Splunk regex.</P><P>(?=(?&lt;field_1&gt;\w{3}))&nbsp;</P> Mon, 19 Oct 2020 12:26:47 GMT https://community.splunk.com/t5/Splunk-Search/Positive-lookahead-in-rex-to-extract-ABC-BCD-amp-CDE-from-ABCDE/m-p/525340#M148231 thambisetty 2020-10-19T12:26:47Z https://community.splunk.com/t5/Splunk-Search/Positive-lookahead-in-rex-to-extract-ABC-BCD-amp-CDE-from-ABCDE/m-p/525341#M148232 <P>Hi, thanks for responding.</P><P>I have been trying that too, but all I get is only ABC.</P><P>If I use it like this:<BR />| makeresults<BR />| eval sample="ABCDE"<BR />| rex fields=sample max_match=3 "<SPAN>(?=(?&lt;field_1&gt;\w{3})) "</SPAN></P><P>Then all I got were:<BR />ABC<BR />ABC<BR />ABC</P><P>I'm not really sure about the logic though.</P> Mon, 19 Oct 2020 12:30:57 GMT https://community.splunk.com/t5/Splunk-Search/Positive-lookahead-in-rex-to-extract-ABC-BCD-amp-CDE-from-ABCDE/m-p/525341#M148232 Amusthofa 2020-10-19T12:30:57Z https://community.splunk.com/t5/Splunk-Search/Positive-lookahead-in-rex-to-extract-ABC-BCD-amp-CDE-from-ABCDE/m-p/527468#M148896 <P>Hi, folks.<BR /><BR />I've been tinkering around these 2 weeks and finally found a solution. Sort of. This is basically a haphazard workaround.</P><P>The first thing I did was trying make it more readable. Instead of <STRONG>ABCDE</STRONG>, I used <STRONG>A B C D E</STRONG>. Basically putting a delimiter between characters. Thus, my regex also changed into something like this <STRONG>(?=(?&lt;field1&gt;\w\s\w\s\w))</STRONG></P><P>That regex didn't work, unfortunately.</P><P>Then I wonder if the regex actually need something to anchor on. So, I manipulated my original text again by adding a space before <STRONG>A</STRONG>. My regex became like this <STRONG>\s(?=(?&lt;field1&gt;\w\s\w\s\w))</STRONG></P><P>I got my intended results, but I still wonder why Splunk's regex engine behaves like that.</P><P><STRONG>NOTE:&nbsp;</STRONG>I had to use&nbsp;<STRONG>\w\s\w\s\w</STRONG> since&nbsp;<STRONG>.....&nbsp;</STRONG>or&nbsp;<STRONG>.{5}&nbsp;</STRONG>didn't work when I tried them.</P><P><STRONG>NOTE2</STRONG>: The delimiter between characters and the "anchor" before the first character must be EXACTLY THE SAME.</P><P>Full SPL:</P><LI-SPOILER>| makeresults<BR />| eval text="ABCDEFG"<BR />| rex field=text mode=sed "s/(\w)/\1 /g"<BR />| eval text=" "+text<BR />| rex field=text max_match=0 "\s(?=(?&lt;field1&gt;\w\s\w\s\w))"&nbsp;</LI-SPOILER><P>&nbsp;Screenshot attached</P> Mon, 02 Nov 2020 06:25:25 GMT https://community.splunk.com/t5/Splunk-Search/Positive-lookahead-in-rex-to-extract-ABC-BCD-amp-CDE-from-ABCDE/m-p/527468#M148896 Amusthofa 2020-11-02T06:25:25Z