- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Going crazy with simple Regex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I wasted way too much time on my not working regex :
Here's what my _raw data looks like :
< Instrument=\"Guitar\" Price=\"500\" >
I would like to add an "instrument" field on my events but my regex wont work in Splunk (And it's working in other environments!).
My regex so far :
mySearch
| rex field=_raw "Instrument=\"(?<instrument>.*)\""
| fields instrument
I know, I've tried escaping the backquotes like this : "Instrument=\\"(?<instrument>.*)\\"" but this way I get a closing parenthesis error.
I've also tried : "Instrument=\\\"(?<instrument>.*)\\\"", but same, this will only return my raw events.
Do you guys have an idea how to achieve this and create the field "instrument=Guitar" on my events ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The actual problem was with capture group ".", it is called greedy regex.
It may be capturing the value Guitar" Price="500,as you are using "."
The following regex will work,
|makeresults | eval test="< Instrument=\"Guitar\" Price=\"500\" >" | rex field=test "Instrument=\"(?<instrument>[^\"]+)\""
Accept & up-vote the answer if it helps.
happy splunking....!!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You Can also try this simple one. It will also work.
|rex "(?<Instrument_Name>[\w]+)\\\"\s\w"
You can test your rex : https://regex101.com/r/WNni5C/4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this :
|rex "Instrument=\"(?[^\"]+)\""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
|rex field=_raw "Instrument=\"(?<instrument>[^\"]+)\""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The actual problem was with capture group ".", it is called greedy regex.
It may be capturing the value Guitar" Price="500,as you are using "."
The following regex will work,
|makeresults | eval test="< Instrument=\"Guitar\" Price=\"500\" >" | rex field=test "Instrument=\"(?<instrument>[^\"]+)\""
Accept & up-vote the answer if it helps.
happy splunking....!!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This helped a lot. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a solid tactic: the not-match. I find this works well when you know what character does NOT belong (in this case, the double quote) and the parser will will match up to that. Simple, clean, easy to understand.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Zakary_n,
probably the problem is "=" that's a special char and must be escaped.
Try this
| rex "Instrument\=\\\"(?<Instrument>\w+)"
that you can test at https://regex101.com/r/LBvB3S/1
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This was helpful in finding the answer as well. Thank you.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
