topic Re: Regex search not working in Splunk Search

Regex search not working

dmittel — Thu, 28 Jan 2016 21:37:42 GMT

So I have a couple of lines that I am trying to get info out of using regex and it's not going quite the way I was hoping. Say in my events I have the lines below

1.) \Device\HarddiskVolume23\Test1
2.) \Device\HarddiskVolume23\Test1\Test
3.) \Device\HarddiskVolume23\Test1\Test\Test1

What I am looking to get is the results that would just be the root directories ( \Device\HarddiskVolume23\Test1 ). So I'm trying to set up a regex that does just that, but I'm not having the best of luck.

If I do the following, I will get the results 1 and 3 above.

regex Object_Name="Test1$"

I was trying to set up the search so it would go:

regex Object_Name="HarddiskVolume\d\\d\\Test1$"

That doesn't return any results. Even if I used:

regex Object_Name="HarddiskVolume23\\Test1$"

I do not get any results.

I have multiple different paths to get this to search for, so that is why I would like to use as many regex variables as I can.

So what can I do to get this to work properly?

Re: Regex search not working

MuS — Thu, 28 Jan 2016 21:59:50 GMT

Hi dmittel,

if the the events always have the same pattern like \device\volume\name you can use this little regex:

 \\\w+\\\w+\\\w+

which will get \Device\HarddiskVolume23\Test1 from all provided examples.

Hope this helps ...

cheers, MuS

Re: Regex search not working

richgalloway — Thu, 28 Jan 2016 22:02:36 GMT

This works with your sample data. Because SPL and the regex engine both use backslash as an escape character, you have to use 4 backslashes to match a backslash.

regex Object_Name="\\\\\w+?\\\\\w+?\\\\\w+"

Re: Regex search not working

dmittel — Thu, 28 Jan 2016 22:06:20 GMT

The problem is the event isnt always \device\volume\name. There are other events logged that have other paths that I am not concerned about.

When I try the regex Object_Name="\\\\\w+?\\\\\w+?\\\\\w+" it returns all results

Re: Regex search not working

somesoni2 — Thu, 28 Jan 2016 22:23:10 GMT

This works fine for me. (comes with run anywhere example with your sample data)

| gentimes start=-1 | eval temp="\Device\HarddiskVolume23\Test1 \Device\HarddiskVolume23\Test1\Test \Device\HarddiskVolume23\Test1\Test\Test1" | makemv temp| table temp | mvexpand temp | regex temp="HarddiskVolume\d+\\\Test1$"

You're almost there, just missing additional backslash

Re: Regex search not working

bmacias84 — Thu, 28 Jan 2016 22:55:50 GMT

This regex statement will match all three lines assuming each lines begins with a backslash.

^(\\[^\\]+){3}

In SPL it would look like:

...| rex field=_raw "^(?<myfield>(\\[^\\]+){3})"
or 
...| rex field=_raw "^(?<myfield>(\\[^\\]+){3})" max_match=0 |