topic Re: regex in Splunk Search

regex

simo — Tue, 27 Apr 2021 13:13:53 GMT

Hi all,

I have a column containing
Request = REQ_IN ...... { ...... "productId": "test", ...... { ....... "productId": "test2" }}
I have to take the containing value in the first one productId test
I using = | rex field=Request "REQ_IN.*\"productId\"(?<productId_rex>[^,]*)"
but it returns me the second value test2
how can i solve?

Simone

Re: regex

aasabatini — Tue, 27 Apr 2021 14:02:03 GMT

Hi @simo

Can you try this regex?

^(?:[^:\n]*:){1}\"(?<productid>\w+)

Re: regex

simo — Tue, 27 Apr 2021 14:20:55 GMT

it's not working 😞

Re: regex

aasabatini — Tue, 27 Apr 2021 14:26:15 GMT

@simo don't worry

try this

^[^:\n]*:\"(?P<productId>\w+)

Re: regex

ITWhisperer — Tue, 27 Apr 2021 14:56:08 GMT

You need to use lazy expansion on the any character, something like:

| rex field=Request "REQ_IN.+?\"productId\":\s(?<productId_rex>[^,]*)"

Re: regex

simo — Tue, 27 Apr 2021 15:54:14 GMT

hi @ITWhisperer

thanks so it goes, but it does not work if the value of productId is only once 😞

simone

Re: regex

ITWhisperer — Tue, 27 Apr 2021 16:07:31 GMT

I was following your example, but perhaps you could also not extract the quotation marks and use that as the delimiter, rather than the comma, as I suspect that isn't present if there is only one?

| rex field=Request "REQ_IN.+?\"productId\":\s\"(?<productId_rex>[^\"]*)"

Re: regex

manjunathmeti — Tue, 27 Apr 2021 18:22:15 GMT

hi @simo,
Command rex captures the first match in the group. Try this:

| makeresults | eval test="Request = REQ_IN ...... { ...... \"productId\": \"test\", ...... { ....... \"productId\": \"test2\" }}" | rex field=test "\"productId\":\s*\"(?<productId_rex>[^\"]+)\""

Re: regex

simo — Wed, 28 Apr 2021 14:10:46 GMT

Hi @manjunathmeti

so he is taking the first one, at the beginning I need him to take REQ_IN and so something doesn't work 😞

| makeresults
| eval test="REQ_IN ...... { ...... \"productId\": \"test\", ...... { ....... \"productId\": \"test2\" }}"
| rex field=test "REQ_IN.*\"productId\":\s*\"(?<productId_rex>[^\"]+)\""

Simone

Re: regex

manjunathmeti — Wed, 28 Apr 2021 18:24:13 GMT

You need to use lazy quantifier (*?B instead of greedy (*) to match as few characters as possible. Try this.

| makeresults | eval test="REQ_IN ...... { ...... \"productId\": \"test\", ...... { ....... \"productId\": \"test2\" }}" | rex field=test "REQ_IN.*?\"productId\":\s*\"(?<productId_rex>[^\"]+)\""

If this reply helps you, a like would be appreciated.

Re: regex

ITWhisperer — Wed, 28 Apr 2021 19:11:36 GMT

@manjunathmeti Looks very similar to my answer from yesterday 🙂

Re: regex

manjunathmeti — Thu, 29 Apr 2021 05:43:35 GMT

Yes, it is. My bad I was like lazy quantifier 😀