https://community.splunk.com/t5/Splunk-Search/rex-matching-everything-until-a-tab/m-p/22930#M3999 <P>Thanks Ayn for the answer.<BR /> I also managed to do the same replacing <CODE>\.+</CODE> by <CODE>[^\t]+</CODE></P> Mon, 28 Nov 2011 11:44:34 GMT wsw70 2011-11-28T11:44:34Z https://community.splunk.com/t5/Splunk-Search/rex-matching-everything-until-a-tab/m-p/22928#M3997 <P>Hello,</P> <P>I am trying to parse a log from a Tipping Point IPS. An example of the log I get is (the log is cut for clarity, there is normally more on the line)</P> <PRE><CODE>Nov 28 07:37:50 10.22.250.151 8 4 dab8b814-b100-11e0-06b9-e527e93f10b7 00000001-0001-0001-0001-000000004270 4270: HTTP: PHP Code Injection 4270 </CODE></PRE> <P>Everything is OK when parsing it via</P> <PRE><CODE>rex "[a-zA-Z]+\\s+\\d+\\s+\\d+:\\d+:\\d+\\s+\\d+\\.\\d+\\.\\d+\\.\\d+\\s+(?P&lt;ACTION&gt;\\d+)\\s+(?P&lt;CRIT&gt;\\d+)\\s+[0-9-]+\\s+[0-9-]+\\s+(?P&lt;ATTACKID&gt;\\d+):" </CODE></PRE> <P>and I get the ACTION, CRIT and ATTACKID fields. So far so good.</P> <P>I then wanted to get the next piece of information which is the attack description (<EM>HTTP: PHP Code Injection</EM>). <STRONG>Fields are separated by a TAB</STRONG>. I therefore tried</P> <PRE><CODE>rex "[a-zA-Z]+\\s+\\d+\\s+\\d+:\\d+:\\d+\\s+\\d+\\.\\d+\\.\\d+\\.\\d+\\s+(?P&lt;ACTION&gt;\\d+)\\s+(?P&lt;CRIT&gt;\\d+)\\s+[0-9-]+\\s+[0-9-]+\\s+(?P&lt;ATTACKID&gt;\\d+):\s+(?P&lt;ATTACKNAME&gt;.+)\\t\\d+" </CODE></PRE> <P>the idea being to match every character up to the tab one. I end up catching the remaining of the line (ie. the match does not stop at the tab).</P> <P>I tried to run this through <A href="http://www.rubular.com">Rubular</A> with the source data copied/pasted from Splunk and it works (this is to say that there is indeed a tab as a separator, I also see this in the search window). Looks like there is a specific way to catch the tab character, or that <CODE>\.+</CODE> catches everything until the end of the line.</P> <P>Thanks a lot for any pointer (and sorry as my question must be obvious to someone used to regex) -- WoJ</P> Mon, 28 Nov 2011 10:54:51 GMT https://community.splunk.com/t5/Splunk-Search/rex-matching-everything-until-a-tab/m-p/22928#M3997 wsw70 2011-11-28T10:54:51Z https://community.splunk.com/t5/Splunk-Search/rex-matching-everything-until-a-tab/m-p/22929#M3998 <P>You need to use a non-greedy match. The current greedy one looks like this:</P> <PRE><CODE>(?P&lt;ATTACKNAME&gt;.+)\t </CODE></PRE> <P>which tells the regex engine to return the longest possible match that satisfies the conditions. The corresponding non-greedy match would be (note the "?"):</P> <PRE><CODE>(?P&lt;ATTACKNAME&gt;.+?)\t </CODE></PRE> <P>This tells the regex engine to return the shortest possible match, i.e. only match up until the first tab character it finds.</P> Mon, 28 Nov 2011 11:39:52 GMT https://community.splunk.com/t5/Splunk-Search/rex-matching-everything-until-a-tab/m-p/22929#M3998 Ayn 2011-11-28T11:39:52Z https://community.splunk.com/t5/Splunk-Search/rex-matching-everything-until-a-tab/m-p/22930#M3999 <P>Thanks Ayn for the answer.<BR /> I also managed to do the same replacing <CODE>\.+</CODE> by <CODE>[^\t]+</CODE></P> Mon, 28 Nov 2011 11:44:34 GMT https://community.splunk.com/t5/Splunk-Search/rex-matching-everything-until-a-tab/m-p/22930#M3999 wsw70 2011-11-28T11:44:34Z