Splunk Search

Positive lookahead in rex to extract ABC, BCD, & CDE from ABCDE

Amusthofa
Explorer

Hi, folks.

I am stumped on this matter. My goal is extracting ABC, BCE, & CDE from ABCDE into a multivalue field.

So far, I have played around with regex101.com and got these 2 regex:

  • (?<field_1>(?=(\w{3})))
  • (?<field_2>(?<=(\w{3})))

Both seem to work on regex101.com

But the thing is, I always get empty results in Splunk. I was using this command

| makeresults | eval sample="ABCDE" | rex field=sample max_match=0 "(?<field_1>(?=(\w{3})))"

I understand that I was using positive lookahead and positive lookbehind. I opt to use one of them, since I'm not aware of how many characters the original field would have. So, either lookahead or lookbehind seems to be the appropriate method to do.

Are these two methods available in Splunk? Or am I doing this in a wrong way?

Please advise.
Thank you 🙂

Labels (4)
1 Solution

Amusthofa
Explorer

Hi, folks.

I've been tinkering around these 2 weeks and finally found a solution. Sort of. This is basically a haphazard workaround.

The first thing I did was trying make it more readable. Instead of ABCDE, I used A B C D E. Basically putting a delimiter between characters. Thus, my regex also changed into something like this (?=(?<field1>\w\s\w\s\w))

That regex didn't work, unfortunately.

Then I wonder if the regex actually need something to anchor on. So, I manipulated my original text again by adding a space before A. My regex became like this \s(?=(?<field1>\w\s\w\s\w))

I got my intended results, but I still wonder why Splunk's regex engine behaves like that.

NOTE: I had to use \w\s\w\s\w since ..... or .{5} didn't work when I tried them.

NOTE2: The delimiter between characters and the "anchor" before the first character must be EXACTLY THE SAME.

Full SPL:

Spoiler
| makeresults
| eval text="ABCDEFG"
| rex field=text mode=sed "s/(\w)/\1 /g"
| eval text=" "+text
| rex field=text max_match=0 "\s(?=(?<field1>\w\s\w\s\w))" 

 Screenshot attached

View solution in original post

Tags (1)
0 Karma

Amusthofa
Explorer

Hi, folks.

I've been tinkering around these 2 weeks and finally found a solution. Sort of. This is basically a haphazard workaround.

The first thing I did was trying make it more readable. Instead of ABCDE, I used A B C D E. Basically putting a delimiter between characters. Thus, my regex also changed into something like this (?=(?<field1>\w\s\w\s\w))

That regex didn't work, unfortunately.

Then I wonder if the regex actually need something to anchor on. So, I manipulated my original text again by adding a space before A. My regex became like this \s(?=(?<field1>\w\s\w\s\w))

I got my intended results, but I still wonder why Splunk's regex engine behaves like that.

NOTE: I had to use \w\s\w\s\w since ..... or .{5} didn't work when I tried them.

NOTE2: The delimiter between characters and the "anchor" before the first character must be EXACTLY THE SAME.

Full SPL:

Spoiler
| makeresults
| eval text="ABCDEFG"
| rex field=text mode=sed "s/(\w)/\1 /g"
| eval text=" "+text
| rex field=text max_match=0 "\s(?=(?<field1>\w\s\w\s\w))" 

 Screenshot attached

Tags (1)
0 Karma

thambisetty
SplunkTrust
SplunkTrust

seems positive lookahead and look behind is not working in Splunk regex.

(?=(?<field_1>\w{3})) 

————————————
If this helps, give a like below.

Amusthofa
Explorer

Hi, thanks for responding.

I have been trying that too, but all I get is only ABC.

If I use it like this:
| makeresults
| eval sample="ABCDE"
| rex fields=sample max_match=3 "(?=(?<field_1>\w{3})) "

Then all I got were:
ABC
ABC
ABC

I'm not really sure about the logic though.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...