Splunk Search
Highlighted

Can you help me understand the syntax of this rex feld and where such commands are used?

Explorer

rex field=GB"(?[^]+)"

Hi Team, can any help me to understand each syntax in above command and also would like to know where such commands are used

0 Karma
Highlighted

Re: Can you help me understand the syntax of this rex feld and where such commands are used?

SplunkTrust
SplunkTrust

Make sure you have the correct SPL string, and use the code sample button in the editor to post it here to include all special chars.

As it's readable in your current question there are several syntax issues.

0 Karma
Highlighted

Re: Can you help me understand the syntax of this rex feld and where such commands are used?

SplunkTrust
SplunkTrust

please use 101010 and type your rex query there.

0 Karma
Highlighted

Re: Can you help me understand the syntax of this rex feld and where such commands are used?

Explorer
rex field=GB"(?<gb>[^]+)"
0 Karma
Highlighted

Re: Can you help me understand the syntax of this rex feld and where such commands are used?

SplunkTrust
SplunkTrust

rex: the command for inline field extractions, see http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/rex
field=GB: use that field to extract from
(): regex capturing group
?<gb>: name the group gb, resulting in a field called gb
[]: regex character class
^: negates whatever is after the ^ in the character class, this is missing in your example. If it were [^a], this would match every character except an a
+: one or more matches

Highlighted

Re: Can you help me understand the syntax of this rex feld and where such commands are used?

Contributor

Hi @maheshsat,
you can check below splunk docs to understand regular expressions syntax.
https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/AboutSplunkregularexpressions

0 Karma
Highlighted

Re: Can you help me understand the syntax of this rex feld and where such commands are used?

SplunkTrust
SplunkTrust
Term    Description Example Explanation
*   Match zero or more times.   \w* Matches zero or more word characters.
+   Match one or more times.    \d+ Match at least one digit.
 ?  Match zero or one time. \d\d\d-?\d\d-?\d\d\d\d  Matches a Social Security Number with or without dashes.
( ) Parentheses define match or capture groups, atomic groups, and lookarounds. (H..).(o..) When given the string Hello World, this matches Hel and o W.
[ ] Square brackets define character classes.   [a-z0-9#]   Matches any character that is a through z, 0 through 9, or #.
{ } Curly brackets define repetitions.  \d{3,5} Matches a string of 3 to 5 digits in length.
< > Angle brackets define named capture groups. Use the syntax (?P<var> ...) to set up a named field extraction.    (?P<ssn>\d\d\d-\d\d-\d\d\d\d)   Pulls out a Social Security Number and assigns it to the ssn field.
[[ ]]   Double brackets define Splunk-specific modular regular expressions. [[octet]]   A validated 0-255 range integer.

Also refer this link where you can learn and write regex for specific events
https://regex101.com/

Let me know if this helps you!

View solution in original post

0 Karma
Highlighted

Re: Can you help me understand the syntax of this rex feld and where such commands are used?

Explorer

Thank everyone for helping me

0 Karma
Highlighted

Re: Can you help me understand the syntax of this rex feld and where such commands are used?

SplunkTrust
SplunkTrust

@maheshsat, if your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma