Solved: How to edit my regular expression to retrieve the ...

christopheryu · ‎09-27-2016

I am trying to extract router names from syslog messages.

Need the regular expression to get the first 7 or 8 characters of variable length strings that end with abcd.com. Example below:

tpbjm01-re0.abcd.com
xtsdjm01-re0.abcd.com
lnd2j902-re1.abcd.com
pqrjm02-re1.abcd.com
py3jm01-re1.uk.abcd.com
brhmjm02-re1.emea.abcd.com
rcnj902.abcd.com
cpzyjm01.abcd.com

So result should be:

tpbjm01
xtsdjm01
lnd2j902
pqrjm02
py3jm01
brhmjm02
rcnj902
cpzyjm01

This is supposed to be the correct regex but it is not pulling anything:

^(?\w{7,8})(?=.*abcd.com)

christopheryu · ‎09-28-2016

Thank you for the response @rrowland . I did use regex101 in coming up with regex in my question but it does not work with splunk. I was able do it by splunk's "extract new field" and using add/remove events. Regex below:

^(?:[^:\n]*:){4}\d+\s+(?P\w+)

View solution in original post

christopheryu · ‎09-28-2016

Thank you for the response @rrowland . I did use regex101 in coming up with regex in my question but it does not work with splunk. I was able do it by splunk's "extract new field" and using add/remove events. Regex below:

^(?:[^:\n]*:){4}\d+\s+(?P\w+)

rrowland · ‎09-27-2016

Hello Christopher,

I was able to use the following on regex101.com with your data set and get your required results using the below.

([a-zA-Z0-9]{7,8})

Regards,
Rich

How to edit my regular expression to retrieve the first 7-8 characters of variable length strings that end with abcd.com?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio