Splunk Search

Editing RegExp on the "Extract Fields", what's "{2}((?P"

matiasburni
Engager

Hi all,

I have these 2 patterns in which I want to extract the BRANCH attribut. In this case, the branch is called "branch1":

Aug 13 17:56:20 10.102.165.205 Aug 13 17:56:20 tlsstor001 request 20150813175613|258938|REQUEST|10.102.174.45|xxxxx|GET|/cactus-absp-jf/branch1-release_candidate/36/36.zip|HTTP/1.1|200|45673
Aug 13 17:54:00 10.102.165.205 Aug 13 17:54:00 tlsstor001 request 20150813175353|2765640|REQUEST|10.252.55.2|xxxx|GET|/cactus-absp-jf/build/eng-builds/branch1/PSI/daily/20150724_47/47.zip|HTTP/1.1|200|45669

I don't know how to edit the regex to respect both patterns. I tried:

^(?:[^/\n]*/){2}((?P<branch>[^\-]+)|(build/eng-builds/?P<branch>[^\-]+))

But it's not working. Help?

Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

This is a job for regex101.com. Your regex is good, except for a few missing escapes. This worked on your samples:

^(?:[^\/\n]*\/){2}((?P<branch>[^\-]+)|(build\/eng-builds\/?P<branch>[^\-]+))

To answer the question in the subject line, "{2}((?P" is actually (parts of) three separate constructs. "{2}" means the previous expression ("(?:[^/\n]*/)") must occur exactly two times. "(" starts a capturing group. "(?P" begins a named capturing group.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

This is a job for regex101.com. Your regex is good, except for a few missing escapes. This worked on your samples:

^(?:[^\/\n]*\/){2}((?P<branch>[^\-]+)|(build\/eng-builds\/?P<branch>[^\-]+))

To answer the question in the subject line, "{2}((?P" is actually (parts of) three separate constructs. "{2}" means the previous expression ("(?:[^/\n]*/)") must occur exactly two times. "(" starts a capturing group. "(?P" begins a named capturing group.

---
If this reply helps you, Karma would be appreciated.

matiasburni
Engager

Thanks for your help,

The final query is... I didin't know regex101.com, very useful !!!

^((.*)(eng\-builds\/)(?P[^\/]+))|(?:[^\/\n]*\/){2}(?P[^\-]+)
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...