topic Boolean in Regex in Splunk Search

Boolean in Regex

DotTest37 — Thu, 28 Apr 2011 13:27:56 GMT

Im trying to solve a problem with my regex.
Im extracting the username from an XML transaction.
Sometimes the username comes like this (Byt the way, I think I dont know how to post XML code on the SplunkBase because it gets processed by the editor, so Im omitin some ">" and "<" to get it out).

<login>user1@gmail.com</login>

I can get it with this Regex:

(?i)<login>(?P<CustomerName>[^<]+)"

And sometimes like this:

<login xmlns="">user2@gmail.com</login>

I can get it with this Regex:

(?i) xmlns="">(?P<CustomerName>[^<]+)

Im trying to get a Regex that satisfy both cases,, I was thinking about a boolean, like OR (||) between the two REGEX, but it didnt work.
Im new to this and I dont know how to use it.
Thanks!!

Re: Boolean in Regex

Ayn — Thu, 28 Apr 2011 14:30:38 GMT

How about

<login[^>]*>(?P<CustomerName>[^<]+)

Re: Boolean in Regex

southeringtonp — Thu, 28 Apr 2011 14:33:14 GMT

You can use a single | symbol as an OR in regex, but you don't really need to in this case. Something like the following should work, where you simply tell it to consume any optional characters before the <login> tag's closing bracket.

(?i)<login [^>]*>(?<PCustomerName>[^<]+)"

If you really want an OR condition, you use a vertical bar (pipe) symbol, like:

(<login>)|(<login xmlns="">)(?<PCustomerName>[^<]+)"

For a good reference take a look at http://www.regular-expressions.info/

Also, check out Kodos or Regex Buddy if you need a good way to test.

Re: Boolean in Regex

DotTest37 — Thu, 28 Apr 2011 18:51:03 GMT

I tested your rewritten RegEx and they worked perfect. Im new to this and try to learn.
How do you actually use a Boolean | with the Splunk variables? an example will give me a quickstart.
Thanks guys.

Re: Boolean in Regex

DotTest37 — Fri, 29 Apr 2011 00:13:15 GMT

m new to this and try to learn. How do you actually use a Boolean | with the Splunk variables? an example will give me a quickstart. Thanks guys.