Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

REGEX in transform.conf using "^" to specify the begining does not work

aferchichi
New Member
‎10-17-2013 03:45 AM

Hi,

I specified the following in transforms.conf

SOURCE_KEY = MetaData:Host
REGEX = ^8\.\d{1,3}\.\d{1,3}\.\d{1,3}$
DEST_KEY = _MetaData:Index
FORMAT = special_index

This should noramlly match host like 8.23.15.12, but it does not work. And if a remove the "^" it will match but it will also match 18.23.15.12 which I do not want. It seems that the "beging with" is not working... Is this a bug? is there a way to circumvent it?
Thanks for your help,

Azim

0 Karma
Reply

nunoaragao
Explorer
‎05-12-2021 04:30 AM

Maybe not working because SOURCE_KEY = MetaData:Host will return

host::

at the begging of the string.
Maybe change REGEX to either

REGEX = ^host\:\:8\.\d{1,3}\.\d{1,3}\.\d{1,3}
REGEX = (?<!\d)8\.\d{1,3}\.\d{1,3}\.\d{1,3}

 

0 Karma
Reply

aferchichi
New Member
‎10-17-2013 04:56 AM

Thanks
but it does not work neither...

Any other suggestions?

Azim

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-17-2013 04:29 AM

You could try this REGEX:

^8\.\d{1,3}\.\d{1,3}\.\d{1,3}

Dropping the $ might help, since you don't really care about the end of the string, just the beginning.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-17-2013 07:35 AM

Some of the other metadata fields have a hidden prefix of the name of the field itself, so it could be host::8.x.y.z

0 Karma
Reply

aferchichi
New Member
‎10-17-2013 06:44 AM

In fact, I think the Host variable extracted has some non viewable characters before the digits (maybe a space), that's why it did not match the "begin with 8" expression ^8.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-17-2013 06:24 AM

I checked that regex here: http://gskinner.com/RegExr/, with these IPs:

128.3.2.4
8.4.3.2
18.3.4.5

And it only matches the 8.4.3.2 IP.

0 Karma
Reply

aferchichi
New Member
‎10-17-2013 06:20 AM

Thanks again... But here you must have something before the number "8", like a8.4.5.7 and therefore will not match the 8.4.5.7

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-17-2013 05:33 AM

[^0-9]{1,2}[^0-79]{1}\.\d{1,3}\.\d{1,3}\.\d{1,3} . Not sure why it's not picking up the "^".

0 Karma
Reply

aferchichi
New Member
‎10-17-2013 05:28 AM

Thanks but it leads to the same result... Your expression will also match 18.2.3.4 ... Which I dont want. It really seams that splunk is not capable of interpreting the begining of a string "^".

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-17-2013 05:08 AM

[^0-79]{1}\.\d{1,3}\.\d{1,3}\.\d{1,3} ?

0 Karma
Reply

aferchichi
New Member
‎10-17-2013 04:57 AM

Thanks
but it does not work neither...

Any other suggestions?

Azim

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...