topic Re: REGEX in transform.conf using "^" to specify the begining does not work in Splunk Search

REGEX in transform.conf using "^" to specify the begining does not work

aferchichi — Thu, 17 Oct 2013 10:45:50 GMT

Hi,

I specified the following in transforms.conf

SOURCE_KEY = MetaData:Host REGEX = ^8\.\d{1,3}\.\d{1,3}\.\d{1,3}$ DEST_KEY = _MetaData:Index FORMAT = special_index

This should noramlly match host like 8.23.15.12, but it does not work. And if a remove the "^" it will match but it will also match 18.23.15.12 which I do not want. It seems that the "beging with" is not working... Is this a bug? is there a way to circumvent it?
Thanks for your help,

Azim

Re: REGEX in transform.conf using "^" to specify the begining does not work

alacercogitatus — Thu, 17 Oct 2013 11:29:42 GMT

You could try this REGEX:

^8\.\d{1,3}\.\d{1,3}\.\d{1,3}

Dropping the $ might help, since you don't really care about the end of the string, just the beginning.

Re: REGEX in transform.conf using "^" to specify the begining does not work

aferchichi — Thu, 17 Oct 2013 11:56:46 GMT

Thanks
but it does not work neither...

Any other suggestions?

Azim

Re: REGEX in transform.conf using "^" to specify the begining does not work

aferchichi — Thu, 17 Oct 2013 11:57:52 GMT

Thanks
but it does not work neither...

Any other suggestions?

Azim

Re: REGEX in transform.conf using "^" to specify the begining does not work

alacercogitatus — Thu, 17 Oct 2013 12:08:38 GMT

[^0-79]{1}\.\d{1,3}\.\d{1,3}\.\d{1,3} ?

Re: REGEX in transform.conf using "^" to specify the begining does not work

aferchichi — Thu, 17 Oct 2013 12:28:19 GMT

Thanks but it leads to the same result... Your expression will also match 18.2.3.4 ... Which I dont want. It really seams that splunk is not capable of interpreting the begining of a string "^".

Re: REGEX in transform.conf using "^" to specify the begining does not work

alacercogitatus — Thu, 17 Oct 2013 12:33:14 GMT

[^0-9]{1,2}[^0-79]{1}\.\d{1,3}\.\d{1,3}\.\d{1,3} . Not sure why it's not picking up the "^".

Re: REGEX in transform.conf using "^" to specify the begining does not work

aferchichi — Thu, 17 Oct 2013 13:20:28 GMT

Thanks again... But here you must have something before the number "8", like a8.4.5.7 and therefore will not match the 8.4.5.7

Re: REGEX in transform.conf using "^" to specify the begining does not work

alacercogitatus — Thu, 17 Oct 2013 13:24:14 GMT

I checked that regex here: http://gskinner.com/RegExr/, with these IPs:

128.3.2.4
8.4.3.2
18.3.4.5

And it only matches the 8.4.3.2 IP.

Re: REGEX in transform.conf using "^" to specify the begining does not work

aferchichi — Thu, 17 Oct 2013 13:44:32 GMT

In fact, I think the Host variable extracted has some non viewable characters before the digits (maybe a space), that's why it did not match the "begin with 8" expression ^8.

Re: REGEX in transform.conf using "^" to specify the begining does not work

sowings — Thu, 17 Oct 2013 14:35:04 GMT

Some of the other metadata fields have a hidden prefix of the name of the field itself, so it could be host::8.x.y.z

Re: REGEX in transform.conf using "^" to specify the begining does not work

nunoaragao — Wed, 12 May 2021 11:30:54 GMT

Maybe not working because SOURCE_KEY = MetaData:Host will return

host::

at the begging of the string.
Maybe change REGEX to either

REGEX = ^host\:\:8\.\d{1,3}\.\d{1,3}\.\d{1,3} REGEX = (?<!\d)8\.\d{1,3}\.\d{1,3}\.\d{1,3}