Solved: Re: Issue with regex and 'positive lookbehind'

Emp · ‎04-16-2021

Hi,

I'm kind of new on the Splunk world and I'm trying to create new extraction field.

Here are two examples of my logs.

14394300 SERVER1 02772 SND_OK 0000 NbF=1;TEST2N.02503.02772.SERVER2;

16434800 SERVER6 67965 SND_OK 0000 NbF=1;XXXRD.NN0015.67965.SERVER1;

I don't know how to extract the information in bold.

My extract/transform looks like this:

(?P<time>\d+)\s+(?P<sdr>\w*)\s+(?P<seq>[^ ]*)\s+(?P<status>[^ ]+)\s+(?P<errorCode>\d+)\s+(?P<Rtn>.+)

My fields work correctly for my use (and different cases) but now, I'm trying to be more accurate for <Rtn>

<Rtn> now is: NbF=1;XXXRD.NN0015.67965.SERVER1;

What I need is just the NN0015 or 02503.

I tried with "positive lookbehind" or "positive lookahead" without any success.

Is it possible to have some help? Thanks!

richgalloway · ‎04-20-2021

This works with the two sample events.

(?P<time>\d+)\s+(?P<sdr>\w*)\s+(?P<seq>[^ ]*)\s+(?P<status>[^ ]+)\s+(?P<errorCode>\d+)\s+(?:NbF=[^\.]+\.(?P<Rtn>[^\.]+)|(?<Rtn2>[^;]+))

Select the Rtn field using coalesce.

... | eval Rtn=coalesce(Rtn, Rtn2)

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎04-16-2021

Lookbehind is not needed. Try this

(?P<time>\d+)\s+(?P<sdr>\w*)\s+(?P<seq>[^ ]*)\s+(?P<status>[^ ]+)\s+(?P<errorCode>\d+)\s+NbF=[^\.]+\.(?P<Rtn>[^\.]+)

---
If this reply helps you, Karma would be appreciated.

Emp · ‎04-19-2021

Hi!

It's not working as expected.

It gave me in results: NbF=1;XXXRD.NN0015.67965.SERVER1;

What I need is "NN0015". I will continue to search with your solution, I can maybe do something with it 🙂

richgalloway · ‎04-19-2021

Make sure you copied the regex correctly. "NbF" is not part of a capture group so you should not be getting that in a field.

---
If this reply helps you, Karma would be appreciated.

Emp · ‎04-20-2021

Hi!

Yes it's working. I had a strange bug, I modified <Rtn> by <alias> and it didn't work. Changed it again by <Rtn> or <Alias> or something else and it works...

So thank you, unfortunately I didn't expect that I could have data with a different format...

It works perfectly with:

16434800 SERVER6 67965 SND_OK 0000 NbF=1;XXXRD.NN0015.67965.SERVER1;

but of course not when I have:

16434800 SERVER6 67965 SND_OK 0000 X00700086;

I'm trying to create a "or" with a | but I'm still in pain with regex 😄

richgalloway · ‎04-20-2021

Which part of "16434800 SERVER6 67965 SND_OK 0000 X00700086;" are you trying to extract?

Sometimes, it's easier to use two separate rex commands than to combine regular expressions.

---
If this reply helps you, Karma would be appreciated.

Emp · ‎04-20-2021

Case 1: 16434800 SERVER6 67965 SND_OK 0000 NbF=1;XXXRD.NN0015.67965.SERVER1;

Case 2: 16434800 SERVER6 67965 SND_OK 0000 X00700086;

In both case, what's in bold is my <Rtn>

In case one, your first solution works perfectly but not on the case 2.

richgalloway · ‎04-20-2021

This works with the two sample events.

(?P<time>\d+)\s+(?P<sdr>\w*)\s+(?P<seq>[^ ]*)\s+(?P<status>[^ ]+)\s+(?P<errorCode>\d+)\s+(?:NbF=[^\.]+\.(?P<Rtn>[^\.]+)|(?<Rtn2>[^;]+))

Select the Rtn field using coalesce.

... | eval Rtn=coalesce(Rtn, Rtn2)

---
If this reply helps you, Karma would be appreciated.

Emp · ‎04-21-2021

I didn't know the coalesce command.

Works perfectly now with that. I just had to modify my dashboards.

Thank you very much!

Issue with regex and 'positive lookbehind'

regex

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?