Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- PCRE Regex not working in Splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PCRE Regex not working in Splunk
Required API call, RegEx i tried in https://regex101.com/ and the Regex which works in Splunk are given below.
/Contact/v1/15965755/Order
\/Contact\/v1\/[0-9]{1,}/Order
/Contact/v1/*/Order
Why PCRE regex not working in Splunk? If i add $ at the end to limit the search, that also not working.
Somebody please throw some light on this.
Thanks...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Be aware that RegEx101.com does not start our in PCRE mode, you have to SET IT THAT WAY by selecting the PCRE (PHP) option under the Flavors menu in the left pane! Also note on the very right edge of the RegEx text input it shows some REGEX FLAGS of which g and m are set by default but only the g is always correct for Splunk. For example, rex and regex commands DO NOT use m by default (but LINE_BREAKER does), so you must prefix your RegEx with (?m) to make it work the same way in Splunk (or de-select the m flag on RegEx101.com).
Also be aware that splunk has both pcregextest and regextest CLI tools that you can use:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/CLIadmincommands
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I like to keep things simple with lookaround constructs. Very powerful, easy to maintain, and worth exploring for cases like this.
| rex "(?<orderNum>\d+)(?=\/Order)"
Translation: Grab the numbers that precede /Order. See https://regex101.com/r/Qq2qaV/1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Check this
| makeresults
| eval temp="/Contact/v1/15965755/Order"
| rex field=temp "(?P<result>\d+[^\/])"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Line #2 is missing an escape on the backslash preceding "/Order".
Try this:
\/Contact\/v1\/[0-9]{1,}\/Order
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's right.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="/Contact/v1/15965755/Order"
| rex "(?<=\/)(?<value>\d+)"
Hi, @eprince
Some strange signs may be in it, so what about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What isn't working for you?
| makeresults
| eval data = "/Contact/v1/15965755/Order"
| rex field=data "^\/Contact\/v1\/(?<field>[0-9]{1,})/Order$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
\/Contact\/v1\/[0-9]{1,}/Order is not working in Splunk to return /Contact/v1/15965755/Order.
But its working in RegEx101 online validation.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
