Splunk Enterprise

Regex to capture specific format data

Ashwini008
Builder

Hi,

Please help me with regex to capture only highlighted data

  • z+o.in_XTY_PREDICTION_S1.gpg.1.txt.1.20210219090217
  • p+d.zwryun.yhudatei.600.gpg.1.20210127014546.gpg
  • t+d.tcoyuing.stkmopini.600.2.20210127042957.gpg
  • a+p.zpitdap1.in0000ci.600.6. 20210127042957.gpg
  • n+o.in_satght.poi.mo.syh.gpg.1.txt.1
  • a+o.deniedin_com.dat.1
Tags (4)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @Ashwini008,

Great to hear it is working. Let me try to explain.

\w\+\w\.(in_)?(?<data>(?:\w{2,}(?:\.)){1,}\w{3})

\w\+\w\.(in_)?  --> Skips first letter+letter pattern and _in (if any)

Start Capturing

(?:\w{2,}(?:\.)){1,} --> Finds pattern that has a word with 2 or more chars and a dot. Find this pattern 1 or more times.

\w{3} --> A word with 3 chars.

End Capture

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @Ashwini008,

Great to hear it is working. Let me try to explain.

\w\+\w\.(in_)?(?<data>(?:\w{2,}(?:\.)){1,}\w{3})

\w\+\w\.(in_)?  --> Skips first letter+letter pattern and _in (if any)

Start Capturing

(?:\w{2,}(?:\.)){1,} --> Finds pattern that has a word with 2 or more chars and a dot. Find this pattern 1 or more times.

\w{3} --> A word with 3 chars.

End Capture

If this reply helps you an upvote and "Accept as Solution" is appreciated.

scelikok
SplunkTrust
SplunkTrust

Hi @Ashwini008,

Please try below rex command;

| rex "\w\+\w\.(in_)?(?<data>(?:\w{2,}(?:\.)){1,}\w{3})"
If this reply helps you an upvote and "Accept as Solution" is appreciated.

Ashwini008
Builder

@scelikok Can you please explain me the regex expression  on how it is capturing only the highlighted data?btw the regex is working fine Thank you!

| rex "\w\+\w\.(in_)?(?<data>(?:\w{2,}(?:\.)){1,}\w{3})"
  • a+p.zpitdap1.in0000ci.600.6. 20210127042957.gpg

Hi @richgalloway I highlighted the data to indicate on what data to capture from each of the given example.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

As it turns out, regex does not have the ability to match on highlighting and it's unlikely the data will have highlighting.  🙂

Can you describe how the desired data should be matched?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...