Splunk Search

First match from end of the line regex

subtrakt
Contributor

Hi Everyone,

Trying to get the expression to read first match from the end off the line and not the beginning of the line.

| makeresults | eval TEST="beginning of line Facility=test341 Message=test123 end of line" | rex field=TEST max_match=0 "(?i)(?<testfromend>(Facility\=|Message\=)[^$]*)" | mvcombine testfromend

Was hoping this would extract "Message=test123 end of line". Instead i get Facility= and everything after because its reading from the beginning of the line still.

Tags (1)
0 Karma
1 Solution

bjoernhansen
Path Finder

Hey subtrakt,

try this one:

(?i).*(?<testfromend>(Facility\=|Message\=)[^$]*?)$

Update: even better:

(?i)(?<testfromend>(Facility\=|Message\=)[^\=]*?)$

View solution in original post

0 Karma

bjoernhansen
Path Finder

Hey subtrakt,

try this one:

(?i).*(?<testfromend>(Facility\=|Message\=)[^$]*?)$

Update: even better:

(?i)(?<testfromend>(Facility\=|Message\=)[^\=]*?)$

0 Karma

subtrakt
Contributor

I ended up using the first solution.

I guess the .* enables the search from end of line and a more flexible option.

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hey subtrakt,

why not use (?i)(?<testfromend>Message\=[^$]*) then?

BUT... if you want to extract the value of facility and of message do the following:
(?i)Facility=(?<facility>[^\s]*)\s*Message=(?<message>.*)
https://regex101.com/r/DGZX5X/1

0 Karma

subtrakt
Contributor

There's other cases in the logs that require different conditions searching from the end of the line.

After testing around all those conditions I found the answer selected was the best global option.

0 Karma

subtrakt
Contributor

Thanks Pyro.

Just experimenting without using eval and creating unnecessary fields. The condition requires message to always take precedence.

Sometimes Message= is not in the log. Sometimes it is. When message is not in the log, it needs to capture Facilility to end of line.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...