https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141278#M39133 <P>This worked, but it is about as fast as my originally regex.</P> Wed, 13 Nov 2013 21:34:49 GMT mcbradford 2013-11-13T21:34:49Z https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141274#M39129 <P>I have a field called "user". I am looking for matches that contain 6 or 7 characters, and always end with "a" but does not end in "pa".</P> <P>I am using the following and it works, but I was wondering if someone might have a better regex expression that would be faster?</P> <P>regex user=".+[^p]a$"</P> Wed, 13 Nov 2013 18:51:22 GMT https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141274#M39129 mcbradford 2013-11-13T18:51:22Z https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141275#M39130 <P>I don't have data to test it but this is also an options.</P> <P>| where LIKE(user,"%a") AND NOT LIKE(user,"%pa")</P> Wed, 13 Nov 2013 19:32:24 GMT https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141275#M39130 somesoni2 2013-11-13T19:32:24Z https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141276#M39131 <P>Technically, your regex will match any length string that starts with at least one character followed by the letter 'a' (as end of string) without a letter 'p' coming before that letter 'a'. This means that it would match user="1a" or user="mydata" or user="my other data here a" so if you need to restrict to only a full string length of 6 or 7 characters, you are really looking for regex that looks for "5 or 6 of any character, followed by a letter 'a' to end the string, as long as there is not a letter 'p' immediately before the last letter 'a'" right?</P> <P>Perhaps this will work:</P> <PRE><CODE>^.{5,6}(a|[^p]a)$ </CODE></PRE> Wed, 13 Nov 2013 20:54:03 GMT https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141276#M39131 jtrucks 2013-11-13T20:54:03Z https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141277#M39132 <P>This found besmanager???</P> Wed, 13 Nov 2013 21:34:06 GMT https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141277#M39132 mcbradford 2013-11-13T21:34:06Z https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141278#M39133 <P>This worked, but it is about as fast as my originally regex.</P> Wed, 13 Nov 2013 21:34:49 GMT https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141278#M39133 mcbradford 2013-11-13T21:34:49Z https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141279#M39134 <P>Hmm. odd. I edited the entry to show string termination at the end. I don't have data in splunk to test this exact string, so it might need some tweaking. The above IS pure PCRE syntax, however. If you don't care the length of the string, your regex is perfectly fine and fast enough…</P> Wed, 13 Nov 2013 21:41:35 GMT https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141279#M39134 jtrucks 2013-11-13T21:41:35Z https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141280#M39135 <PRE><CODE>^.{5,6}(?&lt;!p)a$ </CODE></PRE> <P>should do what you want</P> Wed, 13 Nov 2013 21:58:00 GMT https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141280#M39135 jgreenleaf 2013-11-13T21:58:00Z https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141281#M39136 <P>Just a hint how to quickly test some regular expressions without having the data in splunk using eval - the examples below show tests against the regex given by jgreenleaf </P> <PRE><CODE>index=* | head 1 | eval user="12345pa" | regex user="^.{5,6}(?&lt;!p)a$" | table user index=* | head 1 | eval user="123456a" | regex user="^.{5,6}(?&lt;!p)a$" | table user </CODE></PRE> Wed, 13 Nov 2013 23:01:44 GMT https://community.splunk.com/t5/Splunk-Search/good-regex-fast/m-p/141281#M39136 tpflicke 2013-11-13T23:01:44Z