https://community.splunk.com/t5/Splunk-Search/How-to-find-which-group-was-matched-in-a-regex-when-multiple/m-p/301531#M90785 <P>How and where are you doing this? Is it search-time with SPL or is it index-time with configuration files? Show us your "code".</P> Fri, 07 Jul 2017 21:20:18 GMT woodcock 2017-07-07T21:20:18Z https://community.splunk.com/t5/Splunk-Search/How-to-find-which-group-was-matched-in-a-regex-when-multiple/m-p/301530#M90784 <P>I am using multiple capturing groups in regex and extracting the value of multiple groups to same field.</P> <P>For ex:</P> <PRE><CODE>(group1)|(group2)|(group3)|(group4)|(group5) </CODE></PRE> <P>I have defined a field extraction to extract values of <CODE>group1</CODE>, <CODE>group2</CODE> and <CODE>group3</CODE> to one field ( say <CODE>field1</CODE> ). Now If some data matched above regex (say <CODE>group2</CODE> is matched), its value is extracted to <CODE>field1</CODE>. At this point I know that one of the first 3 groups matched. But is there a way to find out which group matched out of the first 3 groups? I had to extract multiple group values to a single field because all those groups can contain similar data and all the groups does not get logged in one log statement. Also there are so many capturing groups and I don't want to have separate field extraction for each group.</P> Fri, 07 Jul 2017 19:51:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-which-group-was-matched-in-a-regex-when-multiple/m-p/301530#M90784 girrajubharath 2017-07-07T19:51:01Z https://community.splunk.com/t5/Splunk-Search/How-to-find-which-group-was-matched-in-a-regex-when-multiple/m-p/301531#M90785 <P>How and where are you doing this? Is it search-time with SPL or is it index-time with configuration files? Show us your "code".</P> Fri, 07 Jul 2017 21:20:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-which-group-was-matched-in-a-regex-when-multiple/m-p/301531#M90785 woodcock 2017-07-07T21:20:18Z https://community.splunk.com/t5/Splunk-Search/How-to-find-which-group-was-matched-in-a-regex-when-multiple/m-p/301532#M90786 <P>I'm dubious about your statement that you <EM>had to</EM>. It sounds like you <EM>chose to</EM>, and then you found that your choice has caused a problem you didn't anticipate. </P> <P>In essence, you are probably going to have to query the field to figure out what's in it, which would be more intuitive if you just extracted it into separate fields with the similar data named similarly and the different data named differently for each potential format. </P> Sat, 08 Jul 2017 20:50:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-which-group-was-matched-in-a-regex-when-multiple/m-p/301532#M90786 DalJeanis 2017-07-08T20:50:37Z https://community.splunk.com/t5/Splunk-Search/How-to-find-which-group-was-matched-in-a-regex-when-multiple/m-p/301533#M90787 <P>You really can't. Splunk does not expose how things were matched. Now, for debugging purposes, if you want to be freakishly clever, you can do something like this:</P> <PRE><CODE>(?&lt;common_name&gt;(?&lt;unique1&gt;a+))|(?&lt;common_name&gt;(?&lt;unique2&gt;b+)) </CODE></PRE> <P>Assuming Splunk has the regex library configured to allow for duplicate subpattern names in a single regex (and I assume they do, but don't know this for a fact), then you could extract the field named <CODE>common_name</CODE> either as "a+" or "b+" -- but in the "a+" case we would also extract "unique1", and in the "b+" case we would also extract "unique2". This is taking advantage of some oddities of the regex engine.</P> <P>Fun fact: This is also a semi-reasonable approach to replacing some instances of <CODE>FIELDALIAS</CODE> and some edge cases for <CODE>EVAL</CODE></P> Sun, 09 Jul 2017 18:54:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-which-group-was-matched-in-a-regex-when-multiple/m-p/301533#M90787 dwaddle 2017-07-09T18:54:27Z