topic How do I write a regular expression to return a matching pattern in my logs? in Splunk Search

How do I write a regular expression to return a matching pattern in my logs?

pradjswl — Thu, 26 Jan 2017 17:14:07 GMT

Any string starting with COLDAPP , ending with double colon, would be a Tx id in my logs. it can be at the beginning/middle/end as the logs are not fully structured always. How do i write a regex to return a matching pattern starting with a COLDAPP and ends with double colon, excluding the double colon in returned pattern.

Example of log:

 BaseProcessor pool-62-thread-84 - COLDAPP_WS_780144376_148455147959900002_pbv14slm2_12910::3tWofZ2Bb

I am trying

COLDAPP(?P.*?)::

it returns

 _WS_780144376_148455147959900002_pbv14slm2_12910

How do i return

COLDAPP_WS_780144376_148455147959900002_pbv14slm2_12910

Thanks in advance for your help.

Re: How do I write a regular expression to return a matching pattern in my logs?

dtregonning_spl — Thu, 26 Jan 2017 17:19:21 GMT

(COLDAPP?P.*)::

Re: How do I write a regular expression to return a matching pattern in my logs?

pradjswl — Thu, 26 Jan 2017 20:10:57 GMT

@dtregonning_splunk somwhow its not working. I am trying my query on regex101.com. Is there anything wrong I would b doing ?

PS: I was trying to attach a snap, but i got message I would need more karma point to attach image in the post.

Re: How do I write a regular expression to return a matching pattern in my logs?

dtregonning_spl — Thu, 26 Jan 2017 22:35:27 GMT

Hmm, im not sure @pradjswl. Look for any trailing or leading spaces. here is a screenshot of what i had.

Re: How do I write a regular expression to return a matching pattern in my logs?

pradjswl — Fri, 27 Jan 2017 17:02:51 GMT

@dtregonning_splunk how/where do i specify the name of extracted filed in this format ? on regex portal it does return the correct value. How would this work in splunk, as I understand we need to specify the extracted filed name in the query it self with triangular bracket. I tried putting triangular bracket in the query but getting syntax error.

Re: How do I write a regular expression to return a matching pattern in my logs?

dtregonning_spl — Tue, 29 Sep 2020 12:42:55 GMT

(?COLDAPP?P.*)::

replace field_name_xxx to whatever you would like to call the extraction field.

Re: How do I write a regular expression to return a matching pattern in my logs?

pradjswl — Mon, 06 Feb 2017 15:50:23 GMT

@dtregonning_splunk some how splunk comment omits the fieldname while we comment. I see it was omitted in the question I posted, and the response you are posting. It would be a great if you can post a screenshot with field name.

I truly appreciate your help.

By the way how much point do i need to earn before I can start posting images in the comment?

Re: How do I write a regular expression to return a matching pattern in my logs?

dtregonning_spl — Mon, 06 Feb 2017 18:14:37 GMT

sorry @pradjswl looks like the comment interpreted my text as html. Here is a screenshot showing the regex

Re: How do I write a regular expression to return a matching pattern in my logs?

pradjswl — Mon, 06 Feb 2017 20:30:54 GMT

great, that works 🙂

Re: How do I write a regular expression to return a matching pattern in my logs?

aaraneta_splunk — Sun, 12 Feb 2017 05:33:01 GMT

@pradjswl - 60 Karma points are required to attach files. Here's a general outline of how to earn Karma points on Answers as well as how much Karma is required in order to unlock certain site capabilities.