Solved: Re: How to write a regular expression to identify ...

ankithreddy777 · ‎02-02-2017

Hi,
below is the stanza in transforms.conf.

  [rfc5424_header]
  REGEX = <(\d+)>\d{1}\s{1}\S+\s{1}\S+\s{1}(\S+)\s{1}(\S+)\s{1}(\S+)
  FORMAT = prival::$1 appname::$2 procid::$3 msgid::$4

As given, above regex has four capturing groups $1,$2,$3,$4. how to identify how many capturing groups are present in a regular expression?

I know how to write regex to match a text and write regex with single name capturing group, but how do I write regex with multiple capturing groups to extract fields? Don't understand what part of regex represents $1, $2 etc.

mpreddy · ‎02-02-2017

Hi Ankit

<(\d+)>\d{1}\s{1}\S+\s{1}\S+\s{1}(\S+)\s{1}(\S+)\s{1}(\S+)

which are enclosed in () is the capturing group

(\d+) - 1st group
(\S+) - 2nd
(\S+)- 3 rd
(\S+)-4 th

View solution in original post

mpreddy · ‎02-02-2017

Hi Ankit

<(\d+)>\d{1}\s{1}\S+\s{1}\S+\s{1}(\S+)\s{1}(\S+)\s{1}(\S+)

which are enclosed in () is the capturing group

(\d+) - 1st group
(\S+) - 2nd
(\S+)- 3 rd
(\S+)-4 th

How to write a regular expression to identify multiple capturing groups?

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Are you a member of the Splunk Community?

How to write a regular expression to identify multiple capturing groups?

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025