topic Re: Adding a fieldname to a regex extraction in Splunk Search

Adding a fieldname to a regex extraction

agodoy — Mon, 04 Feb 2013 18:47:09 GMT

I have this regex (https?:\/\/)?(www)?(.)?([a-z\d-]{2,})?(.)?([a-z\d-]{2,})?(.)?([a-z\d-]{2,})?.[a-z]{2,4} that I want to use to extract a new field.

How do I incorporate a field name to that regex to use in field extraction.
Thanks!

Re: Adding a fieldname to a regex extraction

yannK — Mon, 04 Feb 2013 18:58:13 GMT

you need to define a special group with (?< fieldname >regexmatch)

read the documentation for examples :
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Rex

Re: Adding a fieldname to a regex extraction

Rob — Mon, 04 Feb 2013 19:05:51 GMT

Hi agodoy,

To extract fields using the Splunk search language, you will want to use the rex command. This is in the syntax of:

|rex field=myFieldName "myRegex(?regexToMatchValueForMyNewField)anyOtherRegex"

More info can be found in the docs.

Looking at your regex, you may want to clean up the regex a little.

Re: Adding a fieldname to a regex extraction

agodoy — Mon, 04 Feb 2013 19:21:29 GMT

Thank you both.

So I changed my search to:

(?<name>(https?:\/\/)?(www)?(\.)?([a-z\d\-]{2,})?(\.)?([a-z\d\-]{2,})?(\.)?([a-z\d\-]{2,})?\.[a-z]{2,4})

It works when I do a ... | rex "(?<name>(https?:\/\/)?(www)?(\.)?([a-z\d\-]{2,})?(\.)?([a-z\d\-]{2,})?(\.)?([a-z\d\-]{2,})?\.[a-z]{2,4})" | top 50 name.

However, if I try to save a field extraction with that same regex I get an error"Encountered the following error while trying to update: In handler 'props-extract': Regex: syntax error in subpattern name (missing terminator)". It might be because of my dirty regex.

Thanks

Re: Adding a fieldname to a regex extraction

yannK — Mon, 04 Feb 2013 19:26:32 GMT

nice job mister

Re: Adding a fieldname to a regex extraction

Rob — Mon, 04 Feb 2013 19:37:36 GMT

Thank you sir! Nice job to you as well!

Re: Adding a fieldname to a regex extraction

Rob — Mon, 04 Feb 2013 19:49:39 GMT

Quite possibly, I would say that you may want to try doing some atomic grouping. In other words, for all the grouped up stuff in parentheses, like this:

(https?)...

Change it to;

(?:https?)