Hello,
I wasted way too much time on my not working regex :
Here's what my _raw data looks like :
< Instrument=\"Guitar\" Price=\"500\" >
I would like to add an "instrument" field on my events but my regex wont work in Splunk (And it's working in other environments!).
My regex so far :
mySearch
| rex field=_raw "Instrument=\"(?<instrument>.*)\""
| fields instrument
I know, I've tried escaping the backquotes like this : "Instrument=\\"(?<instrument>.*)\\""
but this way I get a closing parenthesis error.
I've also tried : "Instrument=\\\"(?<instrument>.*)\\\""
, but same, this will only return my raw events.
Do you guys have an idea how to achieve this and create the field "instrument=Guitar" on my events ?
Hi,
The actual problem was with capture group ".", it is called greedy regex.
It may be capturing the value Guitar" Price="500
,as you are using "."
The following regex will work,
|makeresults | eval test="< Instrument=\"Guitar\" Price=\"500\" >" | rex field=test "Instrument=\"(?<instrument>[^\"]+)\""
Accept & up-vote the answer if it helps.
happy splunking....!!!!
Hi,
You Can also try this simple one. It will also work.
|rex "(?<Instrument_Name>[\w]+)\\\"\s\w"
You can test your rex : https://regex101.com/r/WNni5C/4
Try this :
|rex "Instrument=\"(?[^\"]+)\""
Try this
|rex field=_raw "Instrument=\"(?<instrument>[^\"]+)\""
Hi,
The actual problem was with capture group ".", it is called greedy regex.
It may be capturing the value Guitar" Price="500
,as you are using "."
The following regex will work,
|makeresults | eval test="< Instrument=\"Guitar\" Price=\"500\" >" | rex field=test "Instrument=\"(?<instrument>[^\"]+)\""
Accept & up-vote the answer if it helps.
happy splunking....!!!!
This helped a lot. Thank you.
This is a solid tactic: the not-match. I find this works well when you know what character does NOT belong (in this case, the double quote) and the parser will will match up to that. Simple, clean, easy to understand.
Hi Zakary_n,
probably the problem is "=" that's a special char and must be escaped.
Try this
| rex "Instrument\=\\\"(?<Instrument>\w+)"
that you can test at https://regex101.com/r/LBvB3S/1
Ciao.
Giuseppe
This was helpful in finding the answer as well. Thank you.