Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find which group was matched in a regex when multiple groups are extracted to the same field?

girrajubharath
New Member
‎07-07-2017 12:51 PM

I am using multiple capturing groups in regex and extracting the value of multiple groups to same field.

For ex:

(group1)|(group2)|(group3)|(group4)|(group5)

I have defined a field extraction to extract values of group1, group2 and group3 to one field ( say field1 ). Now If some data matched above regex (say group2 is matched), its value is extracted to field1. At this point I know that one of the first 3 groups matched. But is there a way to find out which group matched out of the first 3 groups? I had to extract multiple group values to a single field because all those groups can contain similar data and all the groups does not get logged in one log statement. Also there are so many capturing groups and I don't want to have separate field extraction for each group.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎07-09-2017 11:54 AM

You really can't. Splunk does not expose how things were matched. Now, for debugging purposes, if you want to be freakishly clever, you can do something like this:

(?<common_name>(?<unique1>a+))|(?<common_name>(?<unique2>b+))

Assuming Splunk has the regex library configured to allow for duplicate subpattern names in a single regex (and I assume they do, but don't know this for a fact), then you could extract the field named common_name either as "a+" or "b+" -- but in the "a+" case we would also extract "unique1", and in the "b+" case we would also extract "unique2". This is taking advantage of some oddities of the regex engine.

Fun fact: This is also a semi-reasonable approach to replacing some instances of FIELDALIAS and some edge cases for EVAL

0 Karma
Reply

DalJeanis
Legend
‎07-08-2017 01:50 PM

I'm dubious about your statement that you had to. It sounds like you chose to, and then you found that your choice has caused a problem you didn't anticipate.

In essence, you are probably going to have to query the field to figure out what's in it, which would be more intuitive if you just extracted it into separate fields with the similar data named similarly and the different data named differently for each potential format.

Reply

woodcock
Esteemed Legend
‎07-07-2017 02:20 PM

How and where are you doing this? Is it search-time with SPL or is it index-time with configuration files? Show us your "code".

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...