Required API call, RegEx i tried in https://regex101.com/ and the Regex which works in Splunk are given below.
/Contact/v1/15965755/Order
\/Contact\/v1\/[0-9]{1,}/Order
/Contact/v1/*/Order
Why PCRE regex not working in Splunk? If i add $ at the end to limit the search, that also not working.
Somebody please throw some light on this.
Thanks...
Be aware that RegEx101.com does not start our in PCRE
mode, you have to SET IT THAT WAY by selecting the PCRE (PHP)
option under the Flavors
menu in the left pane! Also note on the very right edge of the RegEx text input it shows some REGEX FLAGS
of which g
and m
are set by default but only the g
is always correct for Splunk. For example, rex
and regex
commands DO NOT use m
by default (but LINE_BREAKER
does), so you must prefix your RegEx with (?m)
to make it work the same way in Splunk (or de-select the m
flag on RegEx101.com).
Also be aware that splunk has both pcregextest
and regextest
CLI tools that you can use:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/CLIadmincommands
I like to keep things simple with lookaround constructs. Very powerful, easy to maintain, and worth exploring for cases like this.
| rex "(?<orderNum>\d+)(?=\/Order)"
Translation: Grab the numbers that precede /Order. See https://regex101.com/r/Qq2qaV/1
Hi
Check this
| makeresults
| eval temp="/Contact/v1/15965755/Order"
| rex field=temp "(?P<result>\d+[^\/])"
Line #2 is missing an escape on the backslash preceding "/Order".
Try this:
\/Contact\/v1\/[0-9]{1,}\/Order
That's right.
| makeresults
| eval _raw="/Contact/v1/15965755/Order"
| rex "(?<=\/)(?<value>\d+)"
Hi, @eprince
Some strange signs may be in it, so what about this?
What isn't working for you?
| makeresults
| eval data = "/Contact/v1/15965755/Order"
| rex field=data "^\/Contact\/v1\/(?<field>[0-9]{1,})/Order$"
\/Contact\/v1\/[0-9]{1,}/Order is not working in Splunk to return /Contact/v1/15965755/Order.
But its working in RegEx101 online validation.