Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

First match from end of the line regex

subtrakt
Contributor
‎02-19-2018 11:33 AM

Hi Everyone,

Trying to get the expression to read first match from the end off the line and not the beginning of the line. 

| makeresults | eval TEST="beginning of line Facility=test341 Message=test123 end of line" | rex field=TEST max_match=0 "(?i)(?<testfromend>(Facility\=|Message\=)[^$]*)" | mvcombine testfromend

Was hoping this would extract "Message=test123 end of line". Instead i get Facility= and everything after because its reading from the beginning of the line still.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bjoernhansen
Path Finder
‎02-19-2018 11:58 AM

Hey subtrakt,

try this one:

(?i).*(?<testfromend>(Facility\=|Message\=)[^$]*?)$

Update: even better:

(?i)(?<testfromend>(Facility\=|Message\=)[^\=]*?)$

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bjoernhansen
Path Finder
‎02-19-2018 11:58 AM

Hey subtrakt,

try this one:

(?i).*(?<testfromend>(Facility\=|Message\=)[^$]*?)$

Update: even better:

(?i)(?<testfromend>(Facility\=|Message\=)[^\=]*?)$

0 Karma
Reply
Solved! Jump to solution

subtrakt
Contributor
‎02-19-2018 03:28 PM

I ended up using the first solution.

I guess the .* enables the search from end of line and a more flexible option.

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎02-19-2018 11:56 AM

Hey subtrakt,

why not use (?i)(?<testfromend>Message\=[^$]*) then?

BUT... if you want to extract the value of facility and of message do the following:
(?i)Facility=(?<facility>[^\s]*)\s*Message=(?<message>.*)
https://regex101.com/r/DGZX5X/1

0 Karma
Reply
Solved! Jump to solution

subtrakt
Contributor
‎02-19-2018 04:25 PM

There's other cases in the logs that require different conditions searching from the end of the line.

After testing around all those conditions I found the answer selected was the best global option.

0 Karma
Reply
Solved! Jump to solution

subtrakt
Contributor
‎02-19-2018 12:10 PM

Thanks Pyro.

Just experimenting without using eval and creating unnecessary fields. The condition requires message to always take precedence.

Sometimes Message= is not in the log. Sometimes it is. When message is not in the log, it needs to capture Facilility to end of line.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...