All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting field values using a negative match

mundus
Path Finder
‎08-04-2011 04:00 PM

I have log messages that look like the following:

Aug 4 11:13:57 craig gnome-keyring-daemon[2252]: PROMPT OUTPUT: [transport]

Aug 4 11:15:01 craig CRON[10865]: pam_unix(cron:session): session opened for user root by (uid=0)

Aug 4 11:25:51 craig sudo: craig : TTY=pts/5 ; PWD=/opt ; USER=root ; COMMAND=/bin/bash

Aug 4 08:57:56 craig xscreensaver: pam_unix(xscreensaver:auth): auth could not identify password for [craig]

I'm trying to extract:

gnome-keyring-daemon

CRON

sudo

xscreensaver

The regex generated by the field extraction tool is giving me "any character that is not a left bracket": [^\[]+

What I need is "any character that is not a left bracket or colon", such as [^\[|:]+ But if I put that in, the field extraction utility throws an error.

But for some reason Splunk doesn't like the standard "|" for OR. How can I write a field extraction that is the equivalent of "any character that is not a left bracket or colon"?

Thx.

Craig

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-04-2011 05:08 PM

The pipe character is not used for alternation when specifying a character in a character class, i.e., what is inside of [] or [^] sets is not a regular expression, but listing sets of characters. This has nothing to do with Splunk, but is standard for most regex, including PCRE. Therefore, the correct character class specification is: [^\[:].

Also, I don't know why you have the extra backslash in your question. You need it if you're using rex in a search expression to quote the backslash, but when providing the regex directly, such as in the config file or the regex creator, it is wrong.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-04-2011 05:08 PM

The pipe character is not used for alternation when specifying a character in a character class, i.e., what is inside of [] or [^] sets is not a regular expression, but listing sets of characters. This has nothing to do with Splunk, but is standard for most regex, including PCRE. Therefore, the correct character class specification is: [^\[:].

Also, I don't know why you have the extra backslash in your question. You need it if you're using rex in a search expression to quote the backslash, but when providing the regex directly, such as in the config file or the regex creator, it is wrong.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-05-2011 03:33 AM

Oh great. Splunkbase is adding the extra backslashes. Exactly what it should not be doing.

Reply
Solved! Jump to solution

dmlee
Communicator
‎08-05-2011 03:28 AM

I think the regex is \w+\s\d+\s\d+:\d+:\d+\s\w+\s([^:[]+)

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎08-04-2011 11:09 PM

The double backslashes are likely due to a bug on splunk-base that duplicates backslashes (see your own answer as well).

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...