topic Regex Help in Splunk Search

Regex Help

darkins — Tue, 01 Oct 2024 23:02:31 GMT

probably a basic question

i have the following data

600 reason

and this rex

(?<MetricValue>([^\s))]+))(?<Reason>([^:|^R]+))

what i am getting is 60 in Metric Value and 0 in Reason

i presume that is due to the match being up to the next NOT space, thus metric value is 60 and 0 remains in the data for Reason

what is the right way to do this such that i get value = 600 and reason = reason

Re: Regex Help

dural_yyz — Wed, 02 Oct 2024 00:05:46 GMT

Actually most of your problem is coming from multiple capture groups inside a capture group designated by each "()" pairing.

| makeresults format=csv data="sample 600 reason and more:then what 701 code practice Reason 899 something 104 this 12 nothing" | rex field=sample "^(?<Metric>[^\s]+)\s(?<Reason>[^:|^R]+).*$" | table sample Metric Reason

You can see in my example that after the <field> I did not nest additional capture group designations such as what you were using. The above generates some random data which I hope fits your use case but you provided minimal examples so I made assumptions. The rex as coded would with draw the information you are looking for assuming that the Metric is the first one the line or field and following that is the Reason with your indicated cut off characters or end of line like I indicated. Feel free to remove the indicators for beginning of line and end of line if they don't fit your data.

Here is the output I get.

sample	Metric	Reason
600 reason and more:then what	600	reason and more
701 code practice Reason	701	code practice
899 something	899	something
104 this	104	this
12 nothing	12	nothing

Re: Regex Help

richgalloway — Wed, 02 Oct 2024 00:06:47 GMT

Given the complexity of the regex, I suspect the sample event may be over-simplified. However, if it's a matter of the value field is an integer followed by a space then everything goes into the reason field then this rex command will do.

| rex "(?<MetricValue>\d+)\s(?<Reason>.*)"