Solved: Help with improving Regex

youngsuh · ‎02-02-2021

Here is the regex to extract message_type based on CIM. Could anyone make this faster than 1387 steps?

(?P<message_type>[^.]query|response)\:

Here is the sample syslog for DNS.

Feb  3 00:42:32 FSTAd2346.g.ae3.dns.mil tmm[19902] 2021-02-03 00:42:32 FSTAd2346.g.ae3.dns.mil qid 26818 from 10.130.27.34#13258: view none: query: a-grv-gocdzace.g.ae3.dns.mil IN A + (10.130.44.87%0)
Feb  3 00:42:32 FSTAd2346.g.ae3.dns.mil tmm[19902] 2021-02-03 00:42:32 FSTAd2346.g.ae3.dns.mil qid 57035 to 10.130.27.34#13258: [NOERROR qr,aa,rd] response: a-grv-gocdzace.g.ae3.dns.mil

manjunathmeti · ‎02-02-2021

This executes with 50 steps with the given sample data.

(?<message_type>query|response)\:

View solution in original post

bowesmana · ‎02-02-2021

Unless you really need to have the [\.] in the regex, i.e. you want to match any character in front of the word query, other than the '.' character and to include this in your message type then you should use one of the suggestions.

NB, you don't need the \ in front of :

manjunathmeti · ‎02-02-2021

This executes with 50 steps with the given sample data.

(?<message_type>query|response)\:

scelikok · ‎02-02-2021

Hi @youngsuh,

Below is working in 163 steps based on your sample data.

\s(?P<message_type>query|response)\:

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Help with improving Regex

regex

rex

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

Help with improving Regex

regex

rex

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0