Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

First match from end of the line regex

subtrakt
Contributor
‎02-19-2018 11:33 AM

Hi Everyone,

Trying to get the expression to read first match from the end off the line and not the beginning of the line. 

| makeresults | eval TEST="beginning of line Facility=test341 Message=test123 end of line" | rex field=TEST max_match=0 "(?i)(?<testfromend>(Facility\=|Message\=)[^$]*)" | mvcombine testfromend

Was hoping this would extract "Message=test123 end of line". Instead i get Facility= and everything after because its reading from the beginning of the line still.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bjoernhansen
Path Finder
‎02-19-2018 11:58 AM

Hey subtrakt,

try this one:

(?i).*(?<testfromend>(Facility\=|Message\=)[^$]*?)$

Update: even better:

(?i)(?<testfromend>(Facility\=|Message\=)[^\=]*?)$

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bjoernhansen
Path Finder
‎02-19-2018 11:58 AM

Hey subtrakt,

try this one:

(?i).*(?<testfromend>(Facility\=|Message\=)[^$]*?)$

Update: even better:

(?i)(?<testfromend>(Facility\=|Message\=)[^\=]*?)$

0 Karma
Reply
Solved! Jump to solution

subtrakt
Contributor
‎02-19-2018 03:28 PM

I ended up using the first solution.

I guess the .* enables the search from end of line and a more flexible option.

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎02-19-2018 11:56 AM

Hey subtrakt,

why not use (?i)(?<testfromend>Message\=[^$]*) then?

BUT... if you want to extract the value of facility and of message do the following:
(?i)Facility=(?<facility>[^\s]*)\s*Message=(?<message>.*)
https://regex101.com/r/DGZX5X/1

0 Karma
Reply
Solved! Jump to solution

subtrakt
Contributor
‎02-19-2018 04:25 PM

There's other cases in the logs that require different conditions searching from the end of the line.

After testing around all those conditions I found the answer selected was the best global option.

0 Karma
Reply
Solved! Jump to solution

subtrakt
Contributor
‎02-19-2018 12:10 PM

Thanks Pyro.

Just experimenting without using eval and creating unnecessary fields. The condition requires message to always take precedence.

Sometimes Message= is not in the log. Sometimes it is. When message is not in the log, it needs to capture Facilility to end of line.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...