Splunk Search

Can you help me understand the syntax of this rex feld and where such commands are used?

maheshsat
Explorer

rex field=GB"(?[^]+)"

Hi Team, can any help me to understand each syntax in above command and also would like to know where such commands are used

0 Karma
1 Solution

mayurr98
Super Champion
Term    Description Example Explanation
*   Match zero or more times.   \w* Matches zero or more word characters.
+   Match one or more times.    \d+ Match at least one digit.
 ?  Match zero or one time. \d\d\d-?\d\d-?\d\d\d\d  Matches a Social Security Number with or without dashes.
( ) Parentheses define match or capture groups, atomic groups, and lookarounds. (H..).(o..) When given the string Hello World, this matches Hel and o W.
[ ] Square brackets define character classes.   [a-z0-9#]   Matches any character that is a through z, 0 through 9, or #.
{ } Curly brackets define repetitions.  \d{3,5} Matches a string of 3 to 5 digits in length.
< > Angle brackets define named capture groups. Use the syntax (?P<var> ...) to set up a named field extraction.    (?P<ssn>\d\d\d-\d\d-\d\d\d\d)   Pulls out a Social Security Number and assigns it to the ssn field.
[[ ]]   Double brackets define Splunk-specific modular regular expressions. [[octet]]   A validated 0-255 range integer.

Also refer this link where you can learn and write regex for specific events
https://regex101.com/

Let me know if this helps you!

View solution in original post

0 Karma

maheshsat
Explorer

Thank everyone for helping me

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@maheshsat, if your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

mayurr98
Super Champion
Term    Description Example Explanation
*   Match zero or more times.   \w* Matches zero or more word characters.
+   Match one or more times.    \d+ Match at least one digit.
 ?  Match zero or one time. \d\d\d-?\d\d-?\d\d\d\d  Matches a Social Security Number with or without dashes.
( ) Parentheses define match or capture groups, atomic groups, and lookarounds. (H..).(o..) When given the string Hello World, this matches Hel and o W.
[ ] Square brackets define character classes.   [a-z0-9#]   Matches any character that is a through z, 0 through 9, or #.
{ } Curly brackets define repetitions.  \d{3,5} Matches a string of 3 to 5 digits in length.
< > Angle brackets define named capture groups. Use the syntax (?P<var> ...) to set up a named field extraction.    (?P<ssn>\d\d\d-\d\d-\d\d\d\d)   Pulls out a Social Security Number and assigns it to the ssn field.
[[ ]]   Double brackets define Splunk-specific modular regular expressions. [[octet]]   A validated 0-255 range integer.

Also refer this link where you can learn and write regex for specific events
https://regex101.com/

Let me know if this helps you!

0 Karma

nikita_p
Contributor

Hi @maheshsat,
you can check below splunk docs to understand regular expressions syntax.
https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/AboutSplunkregularexpressions

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

rex: the command for inline field extractions, see http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/rex
field=GB: use that field to extract from
(): regex capturing group
?<gb>: name the group gb, resulting in a field called gb
[]: regex character class
^: negates whatever is after the ^ in the character class, this is missing in your example. If it were [^a], this would match every character except an a
+: one or more matches

mayurr98
Super Champion

please use 101010 and type your rex query there.

0 Karma

maheshsat
Explorer
rex field=GB"(?<gb>[^]+)"
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Make sure you have the correct SPL string, and use the code sample button in the editor to post it here to include all special chars.

As it's readable in your current question there are several syntax issues.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...