Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

PCRE Regex not working in Splunk

eprince
New Member
‎12-20-2019 03:04 AM

Required API call, RegEx i tried in https://regex101.com/ and the Regex which works in Splunk are given below.

/Contact/v1/15965755/Order
\/Contact\/v1\/[0-9]{1,}/Order
/Contact/v1/*/Order

Why PCRE regex not working in Splunk? If i add $ at the end to limit the search, that also not working.
Somebody please throw some light on this.

Thanks...

0 Karma
Reply

woodcock
Esteemed Legend
‎12-26-2019 12:00 PM

Be aware that RegEx101.com does not start our in PCRE mode, you have to SET IT THAT WAY by selecting the PCRE (PHP) option under the Flavors menu in the left pane! Also note on the very right edge of the RegEx text input it shows some REGEX FLAGS of which g and m are set by default but only the g is always correct for Splunk. For example, rex and regex commands DO NOT use m by default (but LINE_BREAKER does), so you must prefix your RegEx with (?m) to make it work the same way in Splunk (or de-select the m flag on RegEx101.com).

Also be aware that splunk has both pcregextest and regextest CLI tools that you can use:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/CLIadmincommands

Reply

jpolvino
Builder
‎12-26-2019 08:51 AM

I like to keep things simple with lookaround constructs. Very powerful, easy to maintain, and worth exploring for cases like this.

| rex "(?<orderNum>\d+)(?=\/Order)"

Translation: Grab the numbers that precede /Order. See https://regex101.com/r/Qq2qaV/1

0 Karma
Reply

vnravikumar
Champion
‎12-22-2019 10:26 PM

Hi

Check this

| makeresults 
| eval temp="/Contact/v1/15965755/Order" 
| rex field=temp "(?P<result>\d+[^\/])"
0 Karma
Reply

mydog8it
Builder
‎12-22-2019 03:45 PM

Line #2 is missing an escape on the backslash preceding "/Order".

Try this:
\/Contact\/v1\/[0-9]{1,}\/Order

Reply

to4kawa
Ultra Champion
‎12-22-2019 03:55 PM

That's right.

0 Karma
Reply

to4kawa
Ultra Champion
‎12-20-2019 05:05 PM 
| makeresults 
| eval _raw="/Contact/v1/15965755/Order"
| rex "(?<=\/)(?<value>\d+)"

Hi, @eprince
Some strange signs may be in it, so what about this?

0 Karma
Reply

bshuler_splunk
Splunk Employee
Splunk Employee
‎12-20-2019 07:39 AM

What isn't working for you?

| makeresults 
|  eval data = "/Contact/v1/15965755/Order"
| rex field=data "^\/Contact\/v1\/(?<field>[0-9]{1,})/Order$"
0 Karma
Reply

eprince
New Member
‎12-20-2019 08:12 AM

\/Contact\/v1\/[0-9]{1,}/Order is not working in Splunk to return /Contact/v1/15965755/Order.
But its working in RegEx101 online validation.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...