Solved: How to edit my regex to remove all text before ":"...

nikolaevnz · ‎06-02-2022

Hello Team, Splunkers,

I am working on a correlation search and need to use a regex expression to strip all text before a column ":". Following the suggestion presented in:

I managed to strip the text using this expression which was derived from the topic above:

| rex field=my_host "(?<my_host>[^\:]+)$"

and apply it to the following line:

Microsoft.Windows.Server.10.0.LogicalDisk:my_host.server;D

it will work and I will receive: my_host.server;D

However if I apply the above expression to the same line but with column at the end of the string looking like this:

Microsoft.Windows.Server.10.0.LogicalDisk:my_host.server;D:

this will not be matched. Could you please assist me with editing my expression to cover both cases and still get my_host.server;D as a result.

Regards Nikolay

richgalloway · ‎06-02-2022

Try this command. There may be other expressions that accomplish the same thing, but this one matches the examples provided.

| rex field=my_host ":(?<my_host>[^\:]+):?$"

---
If this reply helps you, Karma would be appreciated.

nikolaevnz · ‎06-06-2022

Thank you for the help it woks as intended.

richgalloway · ‎06-02-2022

Try this command. There may be other expressions that accomplish the same thing, but this one matches the examples provided.

| rex field=my_host ":(?<my_host>[^\:]+):?$"

---
If this reply helps you, Karma would be appreciated.

How to edit my regex to remove all text before ":" if there is more than one