Re: How can we find out whether a string has three...

danielbb · ‎10-30-2019

We would like to find out whether a certain string has three open parentheses characters in any order. Can we do it with regex?

Vijeta · ‎10-30-2019

You can try like below example-

| makeresults |  eval str="(hgd(j,h(((sjs)ii))hhf))"
| rex field=str ".*\(.*\(.*\((?<test>.*).*"
|eval  flag=if(ISNOTNULL(test),"true","false")

darrenfuller · ‎10-30-2019

| makeresults
| eval testdata="value with ( one open paren|value ( with ( two|value ( with ( three ( parens | value with three ((( together| (((value with three at the start|value with three at the end(((|((123)abcdefg(321)xxxx)|"
| rex field=testdata max_match=0 "(?<parenfields>[^\|]+)\|"
| fields + parenfields
| mvexpand parenfields
| regex parenfields="\(.*?\(.*?\("

darrenfuller · ‎10-30-2019

I reread your question, you wanted to find out if a string has 3... this will do ...

| makeresults
| eval testdata="value with ( one open paren|value ( with ( two|value ( with ( three ( parens | value with three ((( together| (((value with three at the start|value with three at the end(((|((123)abcdefg(321)xxxx)|"
| rex field=testdata max_match=0 "(?<parenfields>[^\|]+)\|"
| fields + parenfields
| mvexpand parenfields
| eval HAS3parenS=if (match(parenfields, "\(.*?\(.*?\("), "Yes :D", "no :(")

gcusello · ‎10-30-2019

Hi danielbb,
surely!
if you share a sample I could help you.
Ciao.
Giuseppe

danielbb · ‎10-30-2019

Thank you @gcusello - a string like this one is a valid one - ((123)abcdefg(321)xxxx)

How can we find out whether a string has three open parentheses characters?

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

How can we find out whether a string has three open parentheses characters?

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability