topic Re: My regex is not working in Splunk although it works at regex101.com in Splunk Search

My regex is not working in Splunk although it works at regex101.com

ugruner — Wed, 06 Dec 2017 19:10:25 GMT

Hello,

I have a field "group" these field contains some values with a prefix: "AD-". I need to get rid of the prefix.

E.g
AD-test = test
ADtest = ADtest
test = test
AD-123 = 123
123 = 123

I am trying to do this with regex. My regex works fine outside of Splunk e.g at regex101.com or in a powershell script, but I am not able to get it work in splunk.

This is my regex: [^AD-].\s

But in splunk | rex field="group" (?[^AD-].\s) results in: Missing a search command before '^'. ..... Error in 'SearchParser': errorcontext = [^AD-].*\s)}'.

Udo

Re: My regex is not working in Splunk although it works at regex101.com

elliotproebstel — Wed, 06 Dec 2017 19:31:24 GMT

That's a great place to use the replace command:
[your search] | replace "AD-*" with "*" in group

Cleaner and easier than most regex!

Re: My regex is not working in Splunk although it works at regex101.com

rphillips_splk — Wed, 06 Dec 2017 20:16:01 GMT

to clarify , you have 1 field called group and the value of the field needs AD- stripped off ?

ie:
group = AD-test

should be:

group = test

Re: My regex is not working in Splunk although it works at regex101.com

rphillips_splk — Wed, 06 Dec 2017 20:25:51 GMT

I would agree with @elliotproebstel !

Re: My regex is not working in Splunk although it works at regex101.com

ugruner — Thu, 07 Dec 2017 07:52:29 GMT

Thanks, I am always thinking too complicated.