Using Splunk enterprise 8.2.5 and trying to match a string of repeating characters in my Events. For example of the log file I'm ingesting
INFO - Service Started
DEBUG - Service suspended
So I was testing this as follows but the field mylevel is not extracted
| makeresults | eval msg="info"| rex field=msg "(?<mylevel>\w{4-5})"
| table mylevel
This works though
| makeresults | eval msg="info"| rex field=msg "(?<mylevel>(\w{4})|(\w{5}))"
| table mylevel
What is incorrect/wrong with my usage of this ?
\w{4-5}
| rex field=msg "(?<mylevel>\w{4,5})"
I think this is wrong approach. It will mach any word with 4 or 5 characters within msg field.
Some better would be:
| rex field=msg "^(?<mylevel>\w{4-5})"
The ^ makes sure text are on start of the line.
Even better:
| rex field=msg "(?<mylevel>(?:INFO|DEBUG))"
or
| rex field=msg "(?<mylevel>(?:INFO|DEBUG|ERROR))"
You need to use comma not hyphen
\w{4,5}
@ITWhisperer I can't believe I missed that! Wood for the trees and been at a computer screen too long. Should have re-read the docs.
Thanks for taking the time to answer. Much appreciated!
Remember as I told you, its not an optimal regex. IT will hit multiple times in the line and if first word is not 4 or 5 characters log, it will try next word that is 4 or 5 characters long.
https://regex101.com/r/7OSbxb/1
Some better:
^(?<mylevel>\w{4,5})
even better
^(?<mylevel>\S+)
Thanks @jotne and your point is well noted. I was using a simple example but I have used ^ and $ for start/end markers for my production regex.