Solved: Is there any way of searching for any character fo...

rajivchadha · ‎01-18-2017

Does splunk rex have a concept of doing a .*, in the rex function? I basically want to search for any character followed by a comma.

javiergn · ‎01-18-2017

Does "any character" include commas too?

If not, you can possibly do it like this:

"[^\,]+\,"

Which reads as 1 or more non-comma characters followed by a comma.

You can then group all of that in a token you want to capture, and problem solved.

| rex "(?<fieldnameFoo>[^\,]+)\,"

Thanks,
J

jkat54 · ‎01-18-2017

In regex . stands for any character and \, stands for comma.

So

  | rex (?<anyChar>.)\,

Should work

However if you're not wanting to extract the field and instead you're just searching for it, use the regex command.

   | regex .\,

rajivchadha · ‎01-18-2017

I tried the rex command like below and it did not work as per your suggestion

index="md_dev" ( "Subscribe for") | rex max_match=0 "(?identifier=.*\,)"

also tried

index="md_dev" ( "Subscribe for") | rex max_match=0 "(?identifier=[.]*\,)"

which did not work

javiergn · ‎01-18-2017

Does "any character" include commas too?

If not, you can possibly do it like this:

"[^\,]+\,"

Which reads as 1 or more non-comma characters followed by a comma.

You can then group all of that in a token you want to capture, and problem solved.

| rex "(?<fieldnameFoo>[^\,]+)\,"

Thanks,
J

rajivchadha · ‎01-18-2017

Thanks. I tried what you suggested and it worked.

Is there any way of searching for any character follow by comma using rex