https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25856#M4914 <P>Useful link thanks BobM</P> Wed, 30 Nov 2011 21:55:56 GMT MHibbin 2011-11-30T21:55:56Z https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25851#M4909 <P>All, </P> <P>I just wanted to ask a question I should probably know the answer to, but have never been told, or found resources which answers the question...</P> <P>I am still fairly new to Regular Expressions, and not aware if this is a specific Splunk question or a RegEx question...</P> <P>What are the meanings of the values such as <CODE>(?i) (?P&lt;fieldname&gt;)</CODE>&lt;-i.e. the "<CODE>?P</CODE>" ?</P> <P>Is there any documentation on this?</P> <P>Regards, </P> <P>MHibbin</P> Wed, 30 Nov 2011 21:10:44 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25851#M4909 MHibbin 2011-11-30T21:10:44Z https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25852#M4910 <P>The <CODE>?P</CODE> means matched strings are available in the rest of the regex. Most often you probably don't need this.</P> <P>Splunk uses Python's regex engine, so this documentation is valid: <A href="http://docs.python.org/library/re.html">http://docs.python.org/library/re.html</A></P> Wed, 30 Nov 2011 21:30:25 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25852#M4910 Ayn 2011-11-30T21:30:25Z https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25853#M4911 <P>(?i) = ignore case<BR /><BR /> P = added by the python generated regex if you use the Interactive field extractor. Used for grouping.<BR /> It will work without the P.<BR /><BR /> (?&lt; &gt;) = the field name you want to create base on the group extraction.</P> <P>You can find examples here:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/4.2.4/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/4.2.4/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles</A></P> Wed, 30 Nov 2011 21:35:08 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25853#M4911 rroberts 2011-11-30T21:35:08Z https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25854#M4912 <P>This is a PCRE (perl compatible regular expression) declaration of a named capture. </P> <P>The website <A href="http://www.regular-expressions.info/named.html">http://www.regular-expressions.info/named.html</A> gives a lot of explanation and examples.</P> Wed, 30 Nov 2011 21:51:59 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25854#M4912 BobM 2011-11-30T21:51:59Z https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25855#M4913 <P>Useful information thanks Ayn</P> Wed, 30 Nov 2011 21:54:52 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25855#M4913 MHibbin 2011-11-30T21:54:52Z https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25856#M4914 <P>Useful link thanks BobM</P> Wed, 30 Nov 2011 21:55:56 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25856#M4914 MHibbin 2011-11-30T21:55:56Z https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25857#M4915 <P>Thanks for explanation, thanks rroberts</P> Wed, 30 Nov 2011 21:56:16 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25857#M4915 MHibbin 2011-11-30T21:56:16Z https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25858#M4916 <P>the letter P didnt do any harm when i used in splunk web search with "rex". But if i use the word in props.conf, it fails to extract field. Not sure why.</P> Tue, 24 Apr 2012 08:41:08 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25858#M4916 ma_anand1984 2012-04-24T08:41:08Z https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25859#M4917 <P>Can you post your regex here?</P> Tue, 24 Apr 2012 15:37:03 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Extractions-query/m-p/25859#M4917 rroberts 2012-04-24T15:37:03Z