All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Can i write a conditional regular expression?

royimad
Builder
‎04-11-2013 01:51 AM

Hello Splunk Expert,
I'm writing a regular expression rex to extract a new field from a log with multi line.
The log is as following

Event 1: 2012/03/20 ERROR ABC - XYX
.... multi lines

Event 2: 2012/04/20 ERROR ABC - KLM
Event 3: 2012/04/29 FATAL CDR - SKL
.... multi lines

I need to get 2 lines started from "-" or one line if multi lines doesn't exist, so a conditional regular expression:

My regular expression example is getting 50 characters if exist after the "-" but if those 50 characters doesn't exist my regular expression didn't extract KLM wich is 3 characters.
(?-.{50})

Lines length is varied sometimes more sometimes less than 50 characters.

So how to write a regular expression to extract one line after the "-" and 2 lines if exist after the "-"?

Thanks,
Roy

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-11-2013 03:48 AM

The following works in a regex testing tool (don't have a splunk on me right now). Added the Splunk specific field extraction stuff.

(?m)\s-\s(?<description>([\w\s]+$?[\w\s]+))

Right now it requires [\w\s]+ on both sides of an optional linebreak. If your events contain other characters in the message, you'll have to add them to the character classes (e.g +:;.,?!% etc).

Minimum length will be 2 otherwise the regex will fail.

UPDATE:

It seems that my regex skill were not up to speed: this seems to be a case where you have to double your backslashes in the specification of the pattern you want to capture;

   ... | rex "(?m)\s+-+\s+(?<AAA>([\\s\\w.\\[\\]:/]+\$?[\\s\\w.\\[\\]:/]+))" | ...

which should capture the following characters [\s\w.\[\]:/] on each side of an optional $. As you can see above, the newline needs to be escaped as well. Why it works this way.. dunno.

http://stackoverflow.com/questions/6288181/javascript-regex-nothing-to-repeat-error gave me the idea to try it, and it worked. Anyone with deeper understanding, willing to share?

Tested and working on 5.0.2.

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-11-2013 03:48 AM

The following works in a regex testing tool (don't have a splunk on me right now). Added the Splunk specific field extraction stuff.

(?m)\s-\s(?<description>([\w\s]+$?[\w\s]+))

Right now it requires [\w\s]+ on both sides of an optional linebreak. If your events contain other characters in the message, you'll have to add them to the character classes (e.g +:;.,?!% etc).

Minimum length will be 2 otherwise the regex will fail.

UPDATE:

It seems that my regex skill were not up to speed: this seems to be a case where you have to double your backslashes in the specification of the pattern you want to capture;

   ... | rex "(?m)\s+-+\s+(?<AAA>([\\s\\w.\\[\\]:/]+\$?[\\s\\w.\\[\\]:/]+))" | ...

which should capture the following characters [\s\w.\[\]:/] on each side of an optional $. As you can see above, the newline needs to be escaped as well. Why it works this way.. dunno.

http://stackoverflow.com/questions/6288181/javascript-regex-nothing-to-repeat-error gave me the idea to try it, and it worked. Anyone with deeper understanding, willing to share?

Tested and working on 5.0.2.

Kristian

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎04-11-2013 01:20 PM

see update above /k

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎04-11-2013 04:44 AM

I have try it on Field Extraction:
Encountered the following error while trying to update: In handler 'props-extract': Regex: nothing to repeat

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎04-11-2013 03:11 AM

I need to extract one line if their is no other lines and 2 lines if multi lines exist.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎04-11-2013 03:07 AM

I believe the reason for the regex failing is that you specify it to be exactly 50 characters. This cannont happen, since you reach the end of the event (line) before that.

If I understand your situation, you want to capture 50 characters after the "-", or until the end of the line, if that is shorter?

Or do you want to get the whole line 2 in case of a multi-line event?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...