https://community.splunk.com/t5/Splunk-Search/Regex-help-easy-one/m-p/101729#M26272 <P>Is there any way you could explain what you did to me? Because I have to build extractions for the data in the separate sections (separated by -) in that bracket.</P> <P>Awesome, fast answer btw.</P> Tue, 17 Jul 2012 21:30:58 GMT beaunewcomb 2012-07-17T21:30:58Z https://community.splunk.com/t5/Splunk-Search/Regex-help-easy-one/m-p/101725#M26268 <P>I need to extract fields from a set of results with inconsistent formatting. I think this would be easy for a regex pro. </P> <P>Here are two events:</P> <P>Jul 17 15:44:01 hostname 192.168.0.1 [st2-b3-inter-d005][system][error] trans(119657588)[192.168.0.2]: Unable to open URL </P> <P>Jul 17 15:44:01 hostname 192.168.0.1 [network][error] trans(2064751791): Host connection could not be established</P> <P>I need multiple extractions for the data within the first set of brackets (separated by the dash) in event 1. You'll see that event 2 doesn't contain this type of data at all.</P> <P>Basically I need a regex that says "Match everything between the first [ and first - but not if there are more than 3 characters before the -"</P> <P>I'm basically a regex noob!</P> <P>Thanks!</P> Tue, 17 Jul 2012 21:11:08 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-easy-one/m-p/101725#M26268 beaunewcomb 2012-07-17T21:11:08Z https://community.splunk.com/t5/Splunk-Search/Regex-help-easy-one/m-p/101726#M26269 <P>This should do it:</P> <PRE><CODE>\[([^-]{0,3})- </CODE></PRE> Tue, 17 Jul 2012 21:20:46 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-easy-one/m-p/101726#M26269 Ayn 2012-07-17T21:20:46Z https://community.splunk.com/t5/Splunk-Search/Regex-help-easy-one/m-p/101727#M26270 <P>Wow, fast response! How would I use that in the field extractor?</P> Tue, 17 Jul 2012 21:23:11 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-easy-one/m-p/101727#M26270 beaunewcomb 2012-07-17T21:23:11Z https://community.splunk.com/t5/Splunk-Search/Regex-help-easy-one/m-p/101728#M26271 <P>The field extractor wants a named extraction for FIELDNAME if I remember correctly, so:</P> <PRE><CODE>\[(?P&lt;FIELDNAME&gt;[^-]{0,3})- </CODE></PRE> Tue, 17 Jul 2012 21:24:44 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-easy-one/m-p/101728#M26271 Ayn 2012-07-17T21:24:44Z https://community.splunk.com/t5/Splunk-Search/Regex-help-easy-one/m-p/101729#M26272 <P>Is there any way you could explain what you did to me? Because I have to build extractions for the data in the separate sections (separated by -) in that bracket.</P> <P>Awesome, fast answer btw.</P> Tue, 17 Jul 2012 21:30:58 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-easy-one/m-p/101729#M26272 beaunewcomb 2012-07-17T21:30:58Z https://community.splunk.com/t5/Splunk-Search/Regex-help-easy-one/m-p/101730#M26273 <P>I did nothing to you! <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>No, sure. The regex first looks for the opening bracket, which has to be escaped because [ is a special character in regexes otherwise.</P> <PRE><CODE>\[ </CODE></PRE> <P>Then the matching starts. We're looking for characters that are NOT the dash sign.</P> <PRE><CODE>\[([^-] </CODE></PRE> <P>Match if we find at least 0 and at most 3 non-dash characters.</P> <PRE><CODE>\[([^-]{0,3} </CODE></PRE> <P>End our matching group, and only match if this is immediately followed by a dash sign.</P> <PRE><CODE>\[([^-]{0,3})- </CODE></PRE> <P>I hope that sheds some light on how the regex is built step by step.</P> Tue, 17 Jul 2012 21:36:33 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-easy-one/m-p/101730#M26273 Ayn 2012-07-17T21:36:33Z https://community.splunk.com/t5/Splunk-Search/Regex-help-easy-one/m-p/101731#M26274 <P>Hahah you helped me!</P> <P>You rock.. thanks a lot. I need to get this regex stuff down.</P> Tue, 17 Jul 2012 22:24:37 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-easy-one/m-p/101731#M26274 beaunewcomb 2012-07-17T22:24:37Z