Splunk Enterprise

Issue with rex regular expression repeating character matching?

shocko
Contributor

Using Splunk enterprise 8.2.5 and trying to match a string of repeating characters in my Events. For example of the log file I'm ingesting

 

 

 

INFO - Service Started
DEBUG - Service suspended

 

 

 

So I was testing this as follows but the field mylevel is not extracted 

 

 

 

| makeresults | eval msg="info"| rex field=msg "(?<mylevel>\w{4-5})"
| table mylevel

 

 

 

This works though

 

 

 

| makeresults | eval msg="info"| rex field=msg "(?<mylevel>(\w{4})|(\w{5}))" 
|  table mylevel

 

 

 

What is incorrect/wrong with my usage of this ?

 

 

 

\w{4-5}

 

 

 

 

Labels (2)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

 

You need to use comma not hyphen

\w{4,5}

 

View solution in original post

jotne
Builder
| rex field=msg "(?<mylevel>\w{4,5})"

 

I think this is wrong approach.  It will mach any word with 4 or 5 characters within msg field.  
Some better would be:

| rex field=msg "^(?<mylevel>\w{4-5})"

The ^ makes sure text are on start of the line.

Even better:

| rex field=msg "(?<mylevel>(?:INFO|DEBUG))"
or
| rex field=msg "(?<mylevel>(?:INFO|DEBUG|ERROR))"

ITWhisperer
SplunkTrust
SplunkTrust

 

You need to use comma not hyphen

\w{4,5}

 

shocko
Contributor

@ITWhisperer I can't believe I missed that! Wood for the trees and been at a computer screen too long. Should have re-read the docs.

Thanks for taking the time to answer. Much appreciated!

0 Karma

jotne
Builder

Remember as I told you, its not an optimal regex.  IT will hit multiple times in the line and if first word is not 4 or 5 characters log, it will try next word that is 4 or 5 characters long.
https://regex101.com/r/7OSbxb/1

Some better:

^(?<mylevel>\w{4,5})

even better

^(?<mylevel>\S+)

shocko
Contributor

Thanks @jotne and your point is well noted. I was using a simple example but I have used ^ and $ for start/end markers for my production regex. 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...