Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Boolean in Regex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Boolean in Regex
Im trying to solve a problem with my regex.
Im extracting the username from an XML transaction.
Sometimes the username comes like this (Byt the way, I think I dont know how to post XML code on the SplunkBase because it gets processed by the editor, so Im omitin some ">" and "<" to get it out).
<login>user1@gmail.com</login>
I can get it with this Regex:
(?i)<login>(?P<CustomerName>[^<]+)"
And sometimes like this:
<login xmlns="">user2@gmail.com</login>
I can get it with this Regex:
(?i) xmlns="">(?P<CustomerName>[^<]+)
Im trying to get a Regex that satisfy both cases,, I was thinking about a boolean, like OR (||) between the two REGEX, but it didnt work.
Im new to this and I dont know how to use it.
Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
m new to this and try to learn. How do you actually use a Boolean | with the Splunk variables? an example will give me a quickstart. Thanks guys.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use a single | symbol as an OR in regex, but you don't really need to in this case. Something like the following should work, where you simply tell it to consume any optional characters before the <login> tag's closing bracket.
(?i)<login [^>]*>(?<PCustomerName>[^<]+)"
If you really want an OR condition, you use a vertical bar (pipe) symbol, like:
(<login>)|(<login xmlns="">)(?<PCustomerName>[^<]+)"
For a good reference take a look at http://www.regular-expressions.info/
Also, check out Kodos or Regex Buddy if you need a good way to test.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tested your rewritten RegEx and they worked perfect. Im new to this and try to learn.
How do you actually use a Boolean | with the Splunk variables? an example will give me a quickstart.
Thanks guys.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about
<login[^>]*>(?P<CustomerName>[^<]+)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
