Solved: Re: How to write a regular expression to identify ...

ankithreddy777 · ‎02-02-2017

Hi,
below is the stanza in transforms.conf.

  [rfc5424_header]
  REGEX = <(\d+)>\d{1}\s{1}\S+\s{1}\S+\s{1}(\S+)\s{1}(\S+)\s{1}(\S+)
  FORMAT = prival::$1 appname::$2 procid::$3 msgid::$4

As given, above regex has four capturing groups $1,$2,$3,$4. how to identify how many capturing groups are present in a regular expression?

I know how to write regex to match a text and write regex with single name capturing group, but how do I write regex with multiple capturing groups to extract fields? Don't understand what part of regex represents $1, $2 etc.

mpreddy · ‎02-02-2017

Hi Ankit

<(\d+)>\d{1}\s{1}\S+\s{1}\S+\s{1}(\S+)\s{1}(\S+)\s{1}(\S+)

which are enclosed in () is the capturing group

(\d+) - 1st group
(\S+) - 2nd
(\S+)- 3 rd
(\S+)-4 th

View solution in original post

mpreddy · ‎02-02-2017

Hi Ankit

<(\d+)>\d{1}\s{1}\S+\s{1}\S+\s{1}(\S+)\s{1}(\S+)\s{1}(\S+)

which are enclosed in () is the capturing group

(\d+) - 1st group
(\S+) - 2nd
(\S+)- 3 rd
(\S+)-4 th

How to write a regular expression to identify multiple capturing groups?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation