Splunk Search
Highlighted

How do I write a regular expression to return a matching pattern in my logs?

Explorer

Any string starting with COLDAPP , ending with double colon, would be a Tx id in my logs. it can be at the beginning/middle/end as the logs are not fully structured always. How do i write a regex to return a matching pattern starting with a COLDAPP and ends with double colon, excluding the double colon in returned pattern.

Example of log:

 BaseProcessor pool-62-thread-84 - COLDAPP_WS_780144376_148455147959900002_pbv14slm2_12910::3tWofZ2Bb

I am trying

COLDAPP(?P.*?)::

it returns

 _WS_780144376_148455147959900002_pbv14slm2_12910

How do i return

COLDAPP_WS_780144376_148455147959900002_pbv14slm2_12910

Thanks in advance for your help.

Highlighted

Re: How do I write a regular expression to return a matching pattern in my logs?

Splunk Employee
Splunk Employee

(COLDAPP?P.*)::

Highlighted

Re: How do I write a regular expression to return a matching pattern in my logs?

Explorer

@dtregonning_splunk somwhow its not working. I am trying my query on regex101.com. Is there anything wrong I would b doing ?

PS: I was trying to attach a snap, but i got message I would need more karma point to attach image in the post.

0 Karma
Highlighted

Re: How do I write a regular expression to return a matching pattern in my logs?

Splunk Employee
Splunk Employee

Hmm, im not sure @pradjswl. Look for any trailing or leading spaces. here is a screenshot of what i had.

alt text

0 Karma
Highlighted

Re: How do I write a regular expression to return a matching pattern in my logs?

Explorer

@dtregonning_splunk how/where do i specify the name of extracted filed in this format ? on regex portal it does return the correct value. How would this work in splunk, as I understand we need to specify the extracted filed name in the query it self with triangular bracket. I tried putting triangular bracket in the query but getting syntax error.

0 Karma
Highlighted

Re: How do I write a regular expression to return a matching pattern in my logs?

Splunk Employee
Splunk Employee

(?COLDAPP?P.*)::

replace fieldnamexxx to whatever you would like to call the extraction field.

0 Karma
Highlighted

Re: How do I write a regular expression to return a matching pattern in my logs?

Explorer

@dtregonning_splunk some how splunk comment omits the fieldname while we comment. I see it was omitted in the question I posted, and the response you are posting. It would be a great if you can post a screenshot with field name.

I truly appreciate your help.

By the way how much point do i need to earn before I can start posting images in the comment?

0 Karma
Highlighted

Re: How do I write a regular expression to return a matching pattern in my logs?

Splunk Employee
Splunk Employee

@pradjswl - 60 Karma points are required to attach files. Here's a general outline of how to earn Karma points on Answers as well as how much Karma is required in order to unlock certain site capabilities.

0 Karma
Highlighted

Re: How do I write a regular expression to return a matching pattern in my logs?

Splunk Employee
Splunk Employee

sorry @pradjswl looks like the comment interpreted my text as html. Here is a screenshot showing the regex
alt text

View solution in original post

0 Karma
Highlighted

Re: How do I write a regular expression to return a matching pattern in my logs?

Explorer

great, that works 🙂

0 Karma