topic Re: issue in regex in Splunk Search

issue in regex

pragycho — Sun, 07 Mar 2021 18:22:30 GMT

Hi ,

i want to ignore some comment line and last comment store value in field.

for example , I have log where first 3 line field is in commented for Version, Date, Software

#Ver: 1.0
#Date: 2020-04-18 11:10:15
#Software: ABC for Web 11.8.0-414

how to write the regex expression for this where i can store last field value

my regex REGEX = ^\# but it is dropping all lines with leading hash

how to store Software value in field but other previous field value can drop

Re: issue in regex

tscroggins — Sun, 07 Mar 2021 18:51:16 GMT

@pragycho

To exclude all lines beginning with # except for #Software in a transform evaluated at index time, try:

^#(?!Software)

To extract the text after #Software: into a field in a transform at search time, try:

^#Software:\s+(?<software>.*)

This is the equivalent rex command:

| rex "^#Software:\s+(?<software>.*)"

I can provide more detailed conf examples if you can provide a little more context around where (index time or search time) you want to discard lines and extract values.

Re: issue in regex

pragycho — Thu, 11 Mar 2021 08:21:36 GMT

i have Regex in transform.com .

which is good for performance