Solved: How to edit my regular expression to extract value...

Lucas_Henry_ · ‎08-04-2016

I'm trying to use a regular expression to grab words out of a logfile that begin with "FNR" and are exactly 10 alphanumeric characters long, and save that to a new field called ErrorCode.

The expression I've written in a PCRE generator doesn't seem to work with Splunk. It's below:

(^|)FNR.......(|$)(?P)

How do I make it work with Splunk?

richgalloway · ‎08-04-2016

Is that 10 characters including "FNR" or after?

Try this regex (?<ErrorCode>FNR\w{7}).

BTW, www.regex101.com seems to do a good job of validating regular expressions Splunk will handle.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-04-2016

Is that 10 characters including "FNR" or after?

Try this regex (?<ErrorCode>FNR\w{7}).

BTW, www.regex101.com seems to do a good job of validating regular expressions Splunk will handle.

---
If this reply helps you, Karma would be appreciated.

Lucas_Henry_ · ‎08-04-2016

Works perfectly. thank you my friend

How to edit my regular expression to extract values from a logfile that begin with "FNR" and are 10 alphanumeric characters long?

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

How to edit my regular expression to extract values from a logfile that begin with "FNR" and are 10 alphanumeric characters long?

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk