topic Re: Need the correct regular expression for my rex command in Splunk Search

Need the correct regular expression for my rex command

moizmmz — Tue, 29 Sep 2020 23:00:24 GMT

Here is my event's raw data:

{"line":"level=info t=\"2019-01-29T18:19:42.999Z\" rt=2 method=GET path=\"/contentskus/5b7ee52a4f6b9c001b049ac3?dma=999\u0026itemsPerPage=25\u0026page=1\" sc=200 dma=999 apikey=DEFAULT amzn_trace_id=unknown enabledFeatures=recommendations,upcomingSearch,popularityQueriesPlatformSpecific,availabilityTimes,avoidDefaultQuery,useFavoritesExternalSchemaForD2C,useFavoritesV2ForFavoritesFilter,endCardRecommendations,cmsAuthFallback os=2 rid=\"6962240ed296c770\" mode=published","source":"stdout","tag":"ecs-uat_admin_v1sandbox_blue-35-uat-service-admin-d8d0a7a0c2dfe8ea6c00/503343765eaa","attrs":{"SERVICE_NAME":"admin","SERVICE_TAGS":"contentgroups,contentsettings,contentskus,metatags,settings,userroles,users,s3signurl","SERVICE_VERSION":"v1sandbox","com.amazonaws.ecs.task-arn":"arn:aws:ecs:us-west-2:776609208984:task/305f6e5a-d20d-4aa2-877d-1bba2d442a7b"}}

I'm trying to create a new field called service_name where I extract the highlighted portion in the above event. The regukar expression that I wrote is: \W\W\W[e][c][s]\S(?\w{1,})

Achieved result: uat_admin_v1sandbox_blue
Expected result: admin_v1sandbox_blue

Please help!!!

Re: Need the correct regular expression for my rex command

chrisyounger — Tue, 29 Jan 2019 19:21:57 GMT

Hi @moizmmz

Does this work for you: \"tag\":\"[^\-]+\-[^\_]+\_([^\-]+)

https://regex101.com/r/XFwLwU/1/

Good luck 🙂

Re: Need the correct regular expression for my rex command

moizmmz — Tue, 29 Jan 2019 19:40:17 GMT

Perfect! thank you!

Re: Need the correct regular expression for my rex command

saurabh009 — Tue, 29 Jan 2019 19:53:58 GMT

The easiest way to check for any regular expression is using splunk extract fields. Its quite powerful and gives almost exact extraction.
you can see the regular expression used and apply the same in your query using "rex " command.

Re: Need the correct regular expression for my rex command

moizmmz — Tue, 29 Jan 2019 19:59:45 GMT

Can you pls explain this part: [^-]+-[^_]+_([^-]+) ??

Re: Need the correct regular expression for my rex command

moizmmz — Tue, 29 Jan 2019 20:06:34 GMT

problem is, the events don't load in the sample events slot more than half the time

Re: Need the correct regular expression for my rex command

chrisyounger — Tue, 29 Jan 2019 21:02:25 GMT

It means any characters except for hypon
then a hyphon
then anything except for an underscore
Then an underscore
Then capture everything until a hyphon

Re: Need the correct regular expression for my rex command

moizmmz — Tue, 29 Jan 2019 21:31:57 GMT

Awesome!!! thanks!!!