Solved: Re: How to use wildcard inside string regex?

limalbert · ‎11-06-2017

The log contains string in this format below.

name:X_device:Y_
name-U:X1_Y2_

It has a mixed pattern, and I'm wondering how to use wildcard if I do the regex for name and device in a string (inside double quotations) like below?

rex "name *wildcard* (?<name>\w*)_"
rex "device *wildcard* (?<device>\w*)_"

somesoni2 · ‎11-06-2017

This should do it. (runanywhere sample search. Replace everything before rex with your search)

| gentimes start=-1 | eval raw="name:X_device:Y_#name-U:X1_Y2_" | table raw | makemv raw delim="#" | mvexpand raw | rename raw as _raw 
|rex "name[^:]*:(?<name>[^_]+)_(device:)*(?<device>[^_]+)"

View solution in original post

somesoni2 · ‎11-06-2017

This should do it. (runanywhere sample search. Replace everything before rex with your search)

| gentimes start=-1 | eval raw="name:X_device:Y_#name-U:X1_Y2_" | table raw | makemv raw delim="#" | mvexpand raw | rename raw as _raw 
|rex "name[^:]*:(?<name>[^_]+)_(device:)*(?<device>[^_]+)"

limalbert · ‎11-06-2017

Thank you! This works!

yuanliu · ‎11-06-2017

The concept of "wildcard" is more refined in regex so you just have to use the regex format. If you expect 0 or more repetitions of any character, for example, you would use .* instead if just *.

In regex, * means 0 or more repetition of any character preceding it; in one of your examples, name *wildcard*, the first "*" represents 0 or more white spaces, whereas the second "*" represents 0 or more letter "d". If you want your "wildcard" to represent any character in any repetition, you precede "*" with special character ".", which in regex can represent any singe character.

somesoni2 · ‎11-06-2017

Hey @limalbert, Please format any search/code/data sample that you post using code button (button with '101010' above the editor) or by pressing Ctrl+K.

In the 2nd example, there is no keyword for device, is that correct or typo? Are you looking for wildcarding the one which I highlighed here: name**:**X and name**-U:**X1 ??

limalbert · ‎11-06-2017

Hi @somesoni,

I edited the question.

For the second example for device, there is no keyword, and that's why it's a little bit difficult. I found another alternate to wildcard by using this (?:[^/]+)?. I successfully use this to get name field, but I'm still working on the device since it doesn't have keyword.

rex "name(?:[^/]+)?:(?<name>\w*)_"

somesoni2 · ‎11-06-2017

Give this a try (single rex to extract both)

rex "name[^\:]+\:(?<name>\w+)_(device\:)*(?<device>\w+)"

limalbert · ‎11-06-2017

Sorry, the output for device is actually only "Y". It only give the one with keyword, but it doesn't give the one without keyword.

limalbert · ‎11-06-2017

Can you help me understand what you did after name? Specifically this one, [^:]+.
Also, it works to get only the first device, so the only output is device:Y.

How to use wildcard inside string regex?

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

Are you a member of the Splunk Community?

How to use wildcard inside string regex?

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud