https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160789#M45469 <P>as suggested above a capture group is needed. also the field name is needed within the capture group.</P> <P>that alone did not work for me. I actually needed to add ?P after the first parenthesis in the capture group. as an example.</P> <P>(?PYourRegex),</P> Sat, 27 Apr 2019 20:38:29 GMT 000datageek 2019-04-27T20:38:29Z https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160779#M45459 <P>This is day 2 working with splunk. I want to extract a portion of an xml printout in the logs. My regex works fine, but splunk does not let me continue. Note that not all my events will have a match for my regex - in that case I want the field to just be blank.</P> <P>Am I doing something wrong here?</P> <PRE><CODE>\w|\W+&lt;externalBANID&gt;[0-9]+ </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/535iEC29410D514B41A4/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 04 Aug 2015 20:13:39 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160779#M45459 jpetrides 2015-08-04T20:13:39Z https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160780#M45460 <P>You don't have a capturing group in your regex string. Splunk won't extract a field without one.</P> Tue, 04 Aug 2015 21:04:05 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160780#M45460 richgalloway 2015-08-04T21:04:05Z https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160781#M45461 <P>@richgalloway is correct, you need to wrap your regex in a capturing group, ()</P> Tue, 04 Aug 2015 21:49:24 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160781#M45461 dolivasoh 2015-08-04T21:49:24Z https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160782#M45462 <P>Thanks! I think I need to do a little more regex homework to get this to work the way I want. I really appreciate the quick responses!</P> Wed, 05 Aug 2015 15:22:12 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160782#M45462 jpetrides 2015-08-05T15:22:12Z https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160783#M45463 <P>The best way I've found to learn (or teach) this topic is to use the GUI feature at first rather than try to write your own regex from scratch. If you have a complex pattern you think it won't pick up on, using the 'write my own' is certainly more robust, but you can grab the syntax and save yourself a lot of time digging using the 'Show Regular Expression" link using the regular GUI flow (rather than the "I prefer to write my own")</P> Wed, 05 Aug 2015 15:34:56 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160783#M45463 snalonzo 2015-08-05T15:34:56Z https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160784#M45464 <P>Hi Snalonzo,</P> <P>Thanks for the suggestion - I tried that after reading your post and it can't seem to figure out the field correctly. I think this will work for most other fields.</P> <P>Part of my problem is that I'm trying to parse out xml fields from within a log file that has a bunch of other java/weblogic text based noise in it.</P> Thu, 06 Aug 2015 15:29:19 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160784#M45464 jpetrides 2015-08-06T15:29:19Z https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160785#M45465 <P>Thanks for the reply. Now I am here.</P> <P>([0-9]+)&lt;\/ns3:externalBANId&gt;</P> <P>However, it is still not letting me save, so something is still wrong with my regex. I defined the capturing group as the set of digits between those two strings. Still, it doesn't seem to like it.</P> Thu, 06 Aug 2015 15:31:06 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160785#M45465 jpetrides 2015-08-06T15:31:06Z https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160786#M45466 <PRE><CODE>(&lt;whatever_name_you_want&gt;[0-9]+) </CODE></PRE> <P>With the above, ([0-9]+), you are matching a number between 0-9, 1 or more times, but are not naming that anything, so its not letting you save that thing (because Splunk would do nothing with that matching).</P> <P>Anything outside of the parenthesis is outside of the capture, the first thing in the paren should be </P> <PRE><CODE>&lt;fieldname&gt; </CODE></PRE> <P>then the pattern you want to extract, then close paren, then anything after that pattern that further restricts the match.</P> <P>Regex can be tricky at first, and certainly Splunk has its own regex quirks, but it gets easier - we promise <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Thu, 06 Aug 2015 17:19:46 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160786#M45466 snalonzo 2015-08-06T17:19:46Z https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160787#M45467 <P>This did the trick:</P> <P><CODE>\(?[0-9]+)\&lt;\/ns3:externalBANId\&gt;</CODE></P> <P>it pulled out the digits between the two tags and assigned it the BAN_ID name.</P> <P>Thank you!</P> Thu, 06 Aug 2015 17:58:57 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160787#M45467 jpetrides 2015-08-06T17:58:57Z https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160788#M45468 <P>(?[0-9]+)&lt;\/ns3:externalBANId&gt;</P> <P>I got it! Thanks for the help. Defining the field name was the part that I was missing.</P> Thu, 06 Aug 2015 18:00:29 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160788#M45468 jpetrides 2015-08-06T18:00:29Z https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160789#M45469 <P>as suggested above a capture group is needed. also the field name is needed within the capture group.</P> <P>that alone did not work for me. I actually needed to add ?P after the first parenthesis in the capture group. as an example.</P> <P>(?PYourRegex),</P> Sat, 27 Apr 2019 20:38:29 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-continue-after-using-a-regular-expression-to-extract-a/m-p/160789#M45469 000datageek 2019-04-27T20:38:29Z