Splunk Search

Issue with regex and 'positive lookbehind'

Emp
Explorer

Hi,

I'm kind of new on the Splunk world and I'm trying to create new extraction field.

 

Here are two examples of my logs.

14394300 SERVER1 02772 SND_OK 0000 NbF=1;TEST2N.02503.02772.SERVER2;

16434800 SERVER6 67965 SND_OK 0000 NbF=1;XXXRD.NN0015.67965.SERVER1;

I don't know how to extract the information in bold.

My extract/transform looks like this:

 

(?P<time>\d+)\s+(?P<sdr>\w*)\s+(?P<seq>[^ ]*)\s+(?P<status>[^ ]+)\s+(?P<errorCode>\d+)\s+(?P<Rtn>.+)

My fields work correctly for my use (and different cases) but now, I'm trying to be more accurate for <Rtn>

<Rtn> now is: NbF=1;XXXRD.NN0015.67965.SERVER1;

What I need is just the NN0015 or 02503.

I tried with "positive lookbehind" or "positive lookahead" without any success.

 

Is it possible to have some help? Thanks!

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

This works with the two sample events.

 

(?P<time>\d+)\s+(?P<sdr>\w*)\s+(?P<seq>[^ ]*)\s+(?P<status>[^ ]+)\s+(?P<errorCode>\d+)\s+(?:NbF=[^\.]+\.(?P<Rtn>[^\.]+)|(?<Rtn2>[^;]+))

Select the Rtn field using coalesce.

... | eval Rtn=coalesce(Rtn, Rtn2)

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Lookbehind is not needed.  Try this

(?P<time>\d+)\s+(?P<sdr>\w*)\s+(?P<seq>[^ ]*)\s+(?P<status>[^ ]+)\s+(?P<errorCode>\d+)\s+NbF=[^\.]+\.(?P<Rtn>[^\.]+)
---
If this reply helps you, Karma would be appreciated.

Emp
Explorer

Hi!

It's not working as expected.

It gave me in results: NbF=1;XXXRD.NN0015.67965.SERVER1;

What I need is "NN0015". I will continue to search with your solution, I can maybe do something with it 🙂

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Make sure you copied the regex correctly.   "NbF" is not part of a capture group so you should not be getting that in a field.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Emp
Explorer

Hi!

Yes it's working. I had a strange bug, I modified <Rtn> by <alias> and it didn't work. Changed it again by <Rtn> or <Alias> or something else and it works...

So thank you, unfortunately I didn't expect that I could have data with a different format...

 

It works perfectly with:

16434800 SERVER6 67965 SND_OK 0000 NbF=1;XXXRD.NN0015.67965.SERVER1;

 

but of course not when I have:

16434800 SERVER6 67965 SND_OK 0000 X00700086;

 

I'm trying to create a "or" with a | but I'm still in pain with regex 😄

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Which part of "16434800 SERVER6 67965 SND_OK 0000 X00700086;" are you trying to extract?

Sometimes, it's easier to use two separate rex commands than to combine regular expressions.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Emp
Explorer

Case 1: 16434800 SERVER6 67965 SND_OK 0000 NbF=1;XXXRD.NN0015.67965.SERVER1;

Case 2: 16434800 SERVER6 67965 SND_OK 0000 X00700086;

 

In both case, what's in bold is my <Rtn>

In case one, your first solution works perfectly but not on the case 2. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This works with the two sample events.

 

(?P<time>\d+)\s+(?P<sdr>\w*)\s+(?P<seq>[^ ]*)\s+(?P<status>[^ ]+)\s+(?P<errorCode>\d+)\s+(?:NbF=[^\.]+\.(?P<Rtn>[^\.]+)|(?<Rtn2>[^;]+))

Select the Rtn field using coalesce.

... | eval Rtn=coalesce(Rtn, Rtn2)

 

---
If this reply helps you, Karma would be appreciated.

Emp
Explorer

I didn't know the coalesce command.

Works perfectly now with that. I just had to modify my dashboards.

 

Thank you very much!

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...