Solved: Re: Regular expression in Splunk

saradachelluboy · ‎07-10-2016

Hi All,

I want to read the string from specific location 34 till it reaches | line

I tried wrote regex as (?<=^.{34})\w+\S\d executed in https://regex101.com/ for the provided String
INFO | 2016-07-11 00:03:00,380 | jmsListenerA-9 |

But when I tried to execute the same in splunk
rex thread=_raw "(?<=^.{34})\w+-\d"

I am getting error : Error in 'rex' command: The regex '(?<=^.{34})\w+-\d' does not extract anything. It should specify at least one named group. Format: (?...).

Could some one pls help

rakesh_498115 · ‎07-10-2016

Hi sarada,

Try something like this.

rex "(?<=38)(?<WORD>[^|]+)"

View solution in original post

premraj_vs · ‎01-24-2019

You can try this

index=XXX 
| rex field=_raw ".+\[(?P<FIELD1>.+)]\s+(?P<FIELD2>.+)\s+for\s+(?P<FIELD3>.+)\/(?P<FIELD4>.+)"

This worked for me

hardik_splunk · ‎07-10-2016

You need to add capturing group in the rex command. This will be the name of the field, which will have extracted value.

for ex
index=_internal | eval data= "INFO | 2016-07-11 00:03:00,380 | jmsListenerA-9 |" | table data | rex field=data "(?<=^.{34})(?.*)|" | table thread

rakesh_498115 · ‎07-10-2016

Hi sarada,

Try something like this.

rex "(?<=38)(?<WORD>[^|]+)"

Regular expression in Splunk

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Splunk and Fraud

Build Your First SPL2 App!