https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-lookahead-to-capture-the-information-from-the/m-p/626044#M217600 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;for your quick replies!&nbsp; Ultimately, Rich's search served my needs best.&nbsp; One funny oddity, I needed to use the dash after the stanza as a delimiter and lookahead worked just fine in that capacity.&nbsp;&nbsp;</P><P>index=calabrio MSG_VOICERECORDING_NOTIFY:SRC_NOTIFY_NO_PACKETS<BR />| rex field=_raw "Filename\([\d-]+(?&lt;phoneid&gt;[A-Z]{3}.*<STRONG>(?=-)</STRONG>)"<BR />| stats count by phoneid</P> Thu, 05 Jan 2023 18:30:22 GMT mikecal 2023-01-05T18:30:22Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-lookahead-to-capture-the-information-from-the/m-p/625919#M217568 <P>I'm trying to use the following search to capture information regarding an identification code:</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=calabrio MSG_VOICERECORDING_NOTIFY:SRC_NOTIFY_NO_PACKETS | rex field=_raw "Filename(?&lt;phoneid&gt;)(?=[A-Z][A-Z][A-Z]).*(?=-)" | stats count by phoneid</LI-CODE> <P>&nbsp;</P> <P>Here an example of the log entry:</P> <P><SPAN class=""><SPAN class="">2023</SPAN>-01-04</SPAN> <SPAN class="">15:08:09.001175</SPAN> <SPAN class="">DEBUG</SPAN><SPAN> [</SPAN><SPAN class="">0xce4</SPAN><SPAN>] </SPAN><SPAN class="">VoiceRecorderUpdateTask.cpp</SPAN><SPAN>[</SPAN><SPAN class="">28</SPAN><SPAN>] </SPAN><SPAN class="">VoiceRecorderUpdateTask::runTask:</SPAN> <SPAN class=""><SPAN class="">MSG_VOICERECORDING_NOTIFY:SRC_NOTIFY_NO_PACKETS</SPAN></SPAN> <SPAN class="">:</SPAN> <SPAN class="">Filename</SPAN><SPAN>(</SPAN><SPAN class="">4281-1672873674000-4125-SEP12345678-98962688</SPAN><SPAN>)</SPAN></P> <P><SPAN>I want to capture the information from the 4th stanza.&nbsp; I'm trying to use lookahead to target the three alpha characters.&nbsp; This works as expected in regex101.com but Splunk is not producing any results.&nbsp; I've read in several articles that lookahead doesn't work as you would expect it to but I haven't been able to piece together a search that will work.&nbsp; Maybe I'm going about this the wrong way.&nbsp; Any help is appreciated.</SPAN></P> <P>Thanks,</P> <P>Mike</P> Fri, 06 Jan 2023 04:15:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-lookahead-to-capture-the-information-from-the/m-p/625919#M217568 mikecal 2023-01-06T04:15:01Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-lookahead-to-capture-the-information-from-the/m-p/625920#M217569 <P>As you've read, Splunk does not do well with lookahead (or lookbehind).&nbsp; Fortunately, lookahead rarely is necessary.&nbsp; Try this regex to get the three letters in the Filename field.</P><LI-CODE lang="markup">Filename\([\d-]+(?&lt;phoneid&gt;[A-Z]{3})</LI-CODE> Thu, 05 Jan 2023 01:25:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-lookahead-to-capture-the-information-from-the/m-p/625920#M217569 richgalloway 2023-01-05T01:25:51Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-lookahead-to-capture-the-information-from-the/m-p/625961#M217577 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207603">@mikecal</a>,</P><P>i you want to extract the full phoneid, you can use :</P><LI-CODE lang="markup">index=calabrio MSG_VOICERECORDING_NOTIFY:SRC_NOTIFY_NO_PACKETS | rex "Filename\((?&lt;phoneid&gt;[^\)]+)" | stats count by phoneid</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/o6MmDk/1" target="_blank">https://regex101.com/r/o6MmDk/1</A></P><P>if you want only the last numbers, you can use</P><LI-CODE lang="markup">index=calabrio MSG_VOICERECORDING_NOTIFY:SRC_NOTIFY_NO_PACKETS | rex "Filename\(\w+-\w+-\w+-\w+-(?&lt;IBAN&gt;[^\)]+)" | stats count by phoneid</LI-CODE><P>that you can test at <A href="https://regex101.com/r/o6MmDk/2" target="_blank">https://regex101.com/r/o6MmDk/2</A>&nbsp;</P><P>Ciao.</P><P>Giuseppe</P> Thu, 05 Jan 2023 08:36:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-lookahead-to-capture-the-information-from-the/m-p/625961#M217577 gcusello 2023-01-05T08:36:35Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-lookahead-to-capture-the-information-from-the/m-p/626044#M217600 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;for your quick replies!&nbsp; Ultimately, Rich's search served my needs best.&nbsp; One funny oddity, I needed to use the dash after the stanza as a delimiter and lookahead worked just fine in that capacity.&nbsp;&nbsp;</P><P>index=calabrio MSG_VOICERECORDING_NOTIFY:SRC_NOTIFY_NO_PACKETS<BR />| rex field=_raw "Filename\([\d-]+(?&lt;phoneid&gt;[A-Z]{3}.*<STRONG>(?=-)</STRONG>)"<BR />| stats count by phoneid</P> Thu, 05 Jan 2023 18:30:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-lookahead-to-capture-the-information-from-the/m-p/626044#M217600 mikecal 2023-01-05T18:30:22Z