Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to understand the following expression.

Nicksyboy
Explorer
‎08-29-2013 04:37 PM

I recently came across a Splunk expression, as

rex "(?i)\".*? (?P/\w+/((\w+\.\d+)|(\w+\d+))/((\w+/)|(\w+/\w+/)|((\w+/\w+/\w+/)))\D+((\?)|(\s)))\w+"

and due to the usage of toom many forward and backward slash, I am unable to understand it. Can you please help me in the matter?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gelica
Communicator
‎08-30-2013 01:58 AM

I like this site alot for checking regexes: http://www.regexper.com/

The regex needed a little modification, but only escaping "/"
This is the regex I ran to get the site to work:

.*? (\/\w+\/((\w+\.\d+)|(\w+\d+))\/((\w+\/)|(\w+\/\w+\/)|((\w+\/\w+\/\w+\/)))\D+((\?)|(\s)))\w+

View solution in original post

Reply
Solved! Jump to solution
Solution

gelica
Communicator
‎08-30-2013 01:58 AM

I like this site alot for checking regexes: http://www.regexper.com/

The regex needed a little modification, but only escaping "/"
This is the regex I ran to get the site to work:

.*? (\/\w+\/((\w+\.\d+)|(\w+\d+))\/((\w+\/)|(\w+\/\w+\/)|((\w+\/\w+\/\w+\/)))\D+((\?)|(\s)))\w+
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎08-29-2013 04:50 PM

Pull a fieldname that is followed by a / then one or more letters followed by a /, which will be followed by one of the following:

one or more letters followed by a . followed by one or more digits, or

one or more letters followed by one or more digits.

This will be followed by a / and then one of the following:

One or more letters, or

One or more letters followed by a / then one or more letters followed by a /, or

One or more letters followed by a / then one or more letters followed by a / then one or more letters followed by a /

This will be followed by one or more Non-digits.

I think that covers all of the /shs.

Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎08-29-2013 05:22 PM

You should accept the answer so others know the issue is closed.

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎08-29-2013 05:14 PM

You are welcome.

0 Karma
Reply
Solved! Jump to solution

Nicksyboy
Explorer
‎08-29-2013 05:12 PM

Thanks guys for your quick response!

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎08-29-2013 05:05 PM

little d means digit, big D means not a digit. Same with w and W for a letter.

Reply
Solved! Jump to solution

grijhwani
Motivator
‎08-29-2013 04:59 PM

s is any whitespace character.

Reply
Solved! Jump to solution

Nicksyboy
Explorer
‎08-29-2013 04:56 PM

Thanks for the quick response! So - \w is for words, \d is for digits. What is D and S stands for?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...