Other Usage
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is regex not working?

man03359
Communicator
‎08-10-2023 06:18 AM

Hi all!

I have a field called "correlation id" in my search output, out of which I am trying to extract another field called "key". e.g.

Correlation id field value: Stores_XstorePOSError_tjm1554_2023320

Then its corresponding key value: Stores_XstorePOSError_tjm1554, which I am able to achieve using this regex -

| rex field=correlation_id "^(?P<key>(?P<geo>(\w+[\._])?Stores)[\._](?P<incident_group>[^\._]+)([\._][^\._]+)?[\._](?P<device>[a-zA-Z]{3,4}[a-zA-Z\d]*))([\._])?" 

which is unfortunately not working for some correlation ids.

e.g. -

Correlation id field value: STP_Stores_DiskSpace_stp-44slcapp9_20230809

Key value coming is: STP_Stores_DiskSpace_stp

I assume it is because in the regex, it is mentioned to take "_" and not "-" 

How do I fix it?

Tags (2)
Preview file
23 KB
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2023 06:50 AM

It is not clear what you are expecting to get from STP_Stores_DiskSpace_stp-44slcapp9_20230809

0 Karma
Reply

man03359
Communicator
‎08-10-2023 07:06 AM

I am extracting all the other fields, "device", "key", geo", "incident_group" from the correlation_id using this regex-

| rex field=correlation_id "^(?P<key>(?P<geo>(\w+[\._])?Stores)[\._](?P<incident_group>[^\._]+)([\._][^\._]+)?[\._](?P<device>[a-zA-Z]{3,4}[a-zA-Z\d]*))([\._])?"

But unfortunately, this regex does not work for some-

e.g. STP_Stores_DiskSpace_stp-44slcapp9_20230809,

it is extracting only : STP_Stores_DiskSpace_stp instead of STP_Stores_DiskSpace_stp-44slcapp9.

I am assuming its because after stp there is "-" and not "_".

I have attached the working one for comparison.

Hope this is clear.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2023 07:15 AM 
| rex field=correlation_id "^(?P<key>(?P<geo>(\w+[\._])?Stores)[\._](?P<incident_group>[^\._]+)([\._][^\._]+)?[\._](?P<device>[a-zA-Z]{3,4}[a-zA-Z\d-]*))([\._])?"
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎08-10-2023 07:13 AM

Hi @man03359,

Please try below updated regex;

| rex field=correlation_id "^(?P<key>(?P<geo>(\w+[\._])?Stores)[\._](?P<incident_group>[^\._]+)([\._][^\._]+)?[\._](?P<device>[a-zA-Z]{3,4}[a-zA-Z\d-]*))([\._])?"
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

man03359
Communicator
‎08-10-2023 06:52 AM

I need to extract till STP_Stores_DiskSpace_stp-44slcapp9 under the key field from the correlation id: STP_Stores_DiskSpace_stp-44slcapp9_20230809

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...