topic Re: regex query in Splunk Search

Help with regex search?

jerinvarghese — Tue, 15 Nov 2022 13:55:21 GMT

Hi Team,

Thanks in advance,

Need a quick help in Regex query,

Input values:

KUL6LJBJ62YD
BLR6LC7BLNJR
HRI6M5G6KKPH
KUL6LJ3N0F6J
HRI6LBJKRHHR
HRI6LB65G6NF

Expected output:

First 3 character of each phrase.

CUrrent Regex : (?<SITE_NAME>[^\W]{3}) << BUT AM not getting proper output>>

Expected Output :

| table SITE_NAME

KUL

BLR

HRI

KUL
HRI

HRI

Thanks

Jerin V

Re: regex query

yuanliu — Tue, 15 Nov 2022 10:50:09 GMT

Your output is exactly the first 3 characters of each input. What is the question then?

Re: regex query

gcusello — Tue, 15 Nov 2022 10:58:54 GMT

Hi @jerinvarghese,

your regex is correct and you could also use substr:

| eval SITE_NAME=substr(SITE_NAME,3)

so what is your issue?

Ciao.

Giuseppe

Re: regex query

jerinvarghese — Tue, 15 Nov 2022 12:02:29 GMT

In my search in SPlunk, It sometimes shows me the second vlaue(dark green), thats where i got the problem.

Re: regex query

SplunkExplorer — Tue, 15 Nov 2022 13:25:37 GMT

Hi @jerinvarghese, I don't know if your input can contain only number and letters or also other symbols; in case of alphabet letter and arabic number only, I tested this on regex101: Regex3chars

Please let me know if it works or Splunk or not.

Re: regex query

ITWhisperer — Tue, 15 Nov 2022 13:30:14 GMT

There are a couple of things you might want to change - you could use the max_match option to limit the number of matches, you could use the carat (^) to anchor the match to the beginning of the field, you could use \w instead of the double negative (^ in the square brackets means not, \W means not \w, so ^\W should be equivalent to \w)

| rex max_match=1 "(?<SITE_NAME>^\w{3})"