Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Positive lookahead in rex to extract ABC, BCD, & CDE from ABCDE

Amusthofa
Explorer
‎10-19-2020 02:21 AM

Hi, folks.

I am stumped on this matter. My goal is extracting ABC, BCE, & CDE from ABCDE into a multivalue field.

So far, I have played around with regex101.com and got these 2 regex:

  • (?<field_1>(?=(\w{3})))
  • (?<field_2>(?<=(\w{3})))

Both seem to work on regex101.com

But the thing is, I always get empty results in Splunk. I was using this command

| makeresults | eval sample="ABCDE" | rex field=sample max_match=0 "(?<field_1>(?=(\w{3})))"

I understand that I was using positive lookahead and positive lookbehind. I opt to use one of them, since I'm not aware of how many characters the original field would have. So, either lookahead or lookbehind seems to be the appropriate method to do.

Are these two methods available in Splunk? Or am I doing this in a wrong way?

Please advise.
Thank you 🙂

Labels (4)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

Amusthofa
Explorer
‎11-01-2020 09:49 PM

Hi, folks.

I've been tinkering around these 2 weeks and finally found a solution. Sort of. This is basically a haphazard workaround.

The first thing I did was trying make it more readable. Instead of ABCDE, I used A B C D E. Basically putting a delimiter between characters. Thus, my regex also changed into something like this (?=(?<field1>\w\s\w\s\w))

That regex didn't work, unfortunately.

Then I wonder if the regex actually need something to anchor on. So, I manipulated my original text again by adding a space before A. My regex became like this \s(?=(?<field1>\w\s\w\s\w))

I got my intended results, but I still wonder why Splunk's regex engine behaves like that.

NOTE: I had to use \w\s\w\s\w since ..... or .{5} didn't work when I tried them.

NOTE2: The delimiter between characters and the "anchor" before the first character must be EXACTLY THE SAME.

Full SPL:

Spoiler
| makeresults
| eval text="ABCDEFG"
| rex field=text mode=sed "s/(\w)/\1 /g"
| eval text=" "+text
| rex field=text max_match=0 "\s(?=(?<field1>\w\s\w\s\w))" 

 Screenshot attached

View solution in original post

Tags (1)
Preview file
62 KB
0 Karma
Reply
Solved! Jump to solution
Solution

Amusthofa
Explorer
‎11-01-2020 09:49 PM

Hi, folks.

I've been tinkering around these 2 weeks and finally found a solution. Sort of. This is basically a haphazard workaround.

The first thing I did was trying make it more readable. Instead of ABCDE, I used A B C D E. Basically putting a delimiter between characters. Thus, my regex also changed into something like this (?=(?<field1>\w\s\w\s\w))

That regex didn't work, unfortunately.

Then I wonder if the regex actually need something to anchor on. So, I manipulated my original text again by adding a space before A. My regex became like this \s(?=(?<field1>\w\s\w\s\w))

I got my intended results, but I still wonder why Splunk's regex engine behaves like that.

NOTE: I had to use \w\s\w\s\w since ..... or .{5} didn't work when I tried them.

NOTE2: The delimiter between characters and the "anchor" before the first character must be EXACTLY THE SAME.

Full SPL:

Spoiler
| makeresults
| eval text="ABCDEFG"
| rex field=text mode=sed "s/(\w)/\1 /g"
| eval text=" "+text
| rex field=text max_match=0 "\s(?=(?<field1>\w\s\w\s\w))" 

 Screenshot attached

Tags (1)
Preview file
62 KB
0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎10-19-2020 05:26 AM

seems positive lookahead and look behind is not working in Splunk regex.

(?=(?<field_1>\w{3})) 

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

Amusthofa
Explorer
‎10-19-2020 05:30 AM

Hi, thanks for responding.

I have been trying that too, but all I get is only ABC.

If I use it like this:
| makeresults
| eval sample="ABCDE"
| rex fields=sample max_match=3 "(?=(?<field_1>\w{3})) "

Then all I got were:
ABC
ABC
ABC

I'm not really sure about the logic though.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...