Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Editing RegExp on the "Extract Fields", what's "{2}((?P"

matiasburni
Engager
‎08-13-2015 09:22 AM

Hi all,

I have these 2 patterns in which I want to extract the BRANCH attribut. In this case, the branch is called "branch1":

Aug 13 17:56:20 10.102.165.205 Aug 13 17:56:20 tlsstor001 request 20150813175613|258938|REQUEST|10.102.174.45|xxxxx|GET|/cactus-absp-jf/branch1-release_candidate/36/36.zip|HTTP/1.1|200|45673
Aug 13 17:54:00 10.102.165.205 Aug 13 17:54:00 tlsstor001 request 20150813175353|2765640|REQUEST|10.252.55.2|xxxx|GET|/cactus-absp-jf/build/eng-builds/branch1/PSI/daily/20150724_47/47.zip|HTTP/1.1|200|45669

I don't know how to edit the regex to respect both patterns. I tried:

^(?:[^/\n]*/){2}((?P<branch>[^\-]+)|(build/eng-builds/?P<branch>[^\-]+))

But it's not working. Help?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-13-2015 09:58 AM

This is a job for regex101.com. Your regex is good, except for a few missing escapes. This worked on your samples:

^(?:[^\/\n]*\/){2}((?P<branch>[^\-]+)|(build\/eng-builds\/?P<branch>[^\-]+))

To answer the question in the subject line, "{2}((?P" is actually (parts of) three separate constructs. "{2}" means the previous expression ("(?:[^/\n]*/)") must occur exactly two times. "(" starts a capturing group. "(?P" begins a named capturing group.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-13-2015 09:58 AM

This is a job for regex101.com. Your regex is good, except for a few missing escapes. This worked on your samples:

^(?:[^\/\n]*\/){2}((?P<branch>[^\-]+)|(build\/eng-builds\/?P<branch>[^\-]+))

To answer the question in the subject line, "{2}((?P" is actually (parts of) three separate constructs. "{2}" means the previous expression ("(?:[^/\n]*/)") must occur exactly two times. "(" starts a capturing group. "(?P" begins a named capturing group.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

matiasburni
Engager
‎08-14-2015 02:34 AM

Thanks for your help,

The final query is... I didin't know regex101.com, very useful !!!

^((.*)(eng\-builds\/)(?P[^\/]+))|(?:[^\/\n]*\/){2}(?P[^\-]+)
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...