topic Re: regex101 to splunk rex translation insertion- Why isn't it working in splunk? in Splunk Search

Why isn't regex101 to Splunk rex translation insertion working?

Steve_A200 — Tue, 26 Apr 2022 15:39:00 GMT

Hi,

I managed to get my regex101 expression working, however, I am not able to get it working in splunk. I would like to extract only the location ID's that are listed in the _raw if they are preceded with the text "Location not found.ID: "

Test string:

Location not found. ID: ABC000123244343

Regex101 copied value:

/[ABC0]\w+[a-zA-Z0-9]/gm

However, when I tried the below in splunk it didn't provide me the results I expected:

| from datamodel:"xyzlogs" | fields _raw | where like(_raw,"%Location not found.ID: ABC000%") | rex field=_raw "(?P<Location_id>/[ABC0]\w+[a-zA-Z0-9]/gm)"

Any help would be appreciated.

Thank you.

Re: regex101 to splunk rex translation insertion- Why isn't it working in splunk?

ITWhisperer — Mon, 25 Apr 2022 23:09:34 GMT

You don't need everything from regex101, just the regex

| makeresults | eval _raw="Location not found. ID: ABC000123244343" | rex "(?P<Location_id>[ABC0]\w+[a-zA-Z0-9])"

Re: regex101 to splunk rex translation insertion- Why isn't it working in splunk?

VatsalJagani — Tue, 26 Apr 2022 06:17:20 GMT

@Steve_A200 - As suggested by @ITWhisperer , you just use the regex part of it.

/<regex>/<flags>

g & m are flags for global and multiline, which is true by default for Splunk's rex command.

Re: regex101 to splunk rex translation insertion- Why isn't it working in splunk?

PickleRick — Tue, 26 Apr 2022 06:28:32 GMT

Additionally, you can just include this "condition" in your regex.

But firstly make sure that your regex indeed does what you indend it to do.

Firstly you're looking for the string including "ABC000*", then you're matching against [ABC0] (that's a character class, not an explicit string).

What you need seems to be something more like

| rex field=_raw "Location\snot\sfound.ID:\s+(?<Location>ABC0\S+))

Which matches only those strings that start with ABC0 and are preceeded with "Location not found" string. Otherwise the regex will simply not match so it will not extract anything.

Re: regex101 to splunk rex translation insertion- Why isn't it working in splunk?

Steve_A200 — Tue, 26 Apr 2022 13:45:29 GMT

Thank you for the prompt help, I found the best solution for my data logs was the suggestion below by @PickleRick :

| rex field=_raw "Location\snot\sfound.ID:\s+(?<Location>ABC0\S+))

It was what I needed to extract.

Thank you all for your help, appreciate this community and the Talent it has.