topic Re: OR (|) condition in regular expression in Splunk Search

OR (|) condition in regular expression

jangid — Fri, 14 Dec 2012 17:16:35 GMT

I am missing something in my regular expression
I am having similar log and I can do with two regex but I want to combine all search in single regex.

Here is my 2 log events

I20121126 16:50:50.949136  7416 r_c.cpp:42] TTT.OUT.MESSAGE:121 [R10] [LOG-SG1/REPORT.PRINT.SOD-EB.EOD.REPORT.PRINT] [T24.System.Metrics] READ.SIZE#HMLL1107506#26 NOV 2012#16:50:51#1#F.STANDARD.SELECTION#FD.FID.ORDER#INT#EB.EOD.REPORT.PRINT#7852#0#4

I20121126 16:57:22.375921  7416 r_c.cpp:42] TTT.IN.MESSAGE:121 [R10] [LOG-SG1/BATCH.DATE.RESET-BATCH.DATE.RESET] [T24.System.Metrics] JOB.STARTED#HMLL1107506#26 NOV 2012#16:57:22#1#O999#SG0010001_20120131-SG1/BATCH.DATE.RESET_BATCH.DATE.RESET_1#DailyRollingOTCCRAN.SY1202601307#BATCH.DATE.RESET#1#0#4

Here is my regex

\[[\w]{0,}-{0,1}(?P<CompanyName>\w\w\w)[^\s]+\s\[(?P<RecordType>[\w\.]{0,})\]\s(?P<JobStatus>[^#]+)#(?P<ServerName>[^#]+)#(?P<ServerDate>[^#]+)#(?P<ServerTime>[^#]+)#(?P<MetricsCount>[^#]+)#(?P<Stage>\w{0,1})(?P<ItemDetail>\d{0,3})|(?P<ItemDescription>[^#]+)#(?P<TopKey>[^#]+)#(?P<TransactionRef>[^#]{0,})#(?P<Application>[^#]{0,})#(?P<ResponseTime>\d+)#(?P<Unused>\d)#(?P<PortNumber>\d)

above regex will select only one event
something wrong here

**(?P<Stage>\w{0,1})(?P<ItemDetail>\d{0,3})|(?P<ItemDescription>[^#]+)**

can you please tell me what I am missing?

Re: OR (|) condition in regular expression

yannK — Fri, 14 Dec 2012 17:28:38 GMT

Not sure if you can use an OR to extract one field of another.
usually this is the opposite, you have one field with 1 value or another.

try to do in 2 steps

 rex "(?((\d{0,3})|([^#]+))

then an eval with conditions to extract the fields ItemDetail OR the field ItemDescription from the field ItemAll.

Re: OR (|) condition in regular expression

martin_mueller — Fri, 14 Dec 2012 19:30:36 GMT

It is possible to have a | between fields in rex, it'll extract the first field that matches - even if the second one would have matched as well.

Not sure if this is what the OP wants though, it's not a logical OR in the sense of "this, that, or both" but rather a "this if it exists, else that if it exists, else neither" 😄

Re: OR (|) condition in regular expression

jonuwz — Fri, 14 Dec 2012 20:23:06 GMT

You can use OR in regex, you just need to group the options together in a non-capturing group

i.e.

(?:(?P<ItemDetail>\d{0,3})|(?P<ItemDescription>[^#]+))

This will set ItemDescription in the 1st example log.

You might prefer

(?:(?P<ItemDetail>\d{0,3})|\.(?P<ItemDescription>[^#]+))

If you want to strip the '.' after Stage ( F in the 1st example ) as it sticks to the front of the ItemDescription