Splunk Search

([^\/]+)\/ REGEX meaning?

Harishma
Communicator

Can someone explain me wht that simple regex means??
Sorry for this simple question but this is very new to me. I understand these..
^ --> refers to start of / position
+--> means one or more
([^\/]+)\/

But this regex matches the below CAPITAL ONES for example:

AAAA/BBBB/CCCC/hhhh
Why hhhh is not matched? If ^\/ refers to start of position of "/", why things before the last slash ie before /hhhh are matched??

Appreciate your help on this.

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Within square brackets the '^' character means 'not'. Therefore, the regex matches at least one non-slash character followed by a slash.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

inventsekar
SplunkTrust
SplunkTrust

\/ ------- will match for a "/"
^\/ ----- will match for a "/" at the beginning of the line.
[^\/] ------ ^ inside a [ ] will be for negation(opposite of). it will match for anything except a "/"
[^\/]+ ----- it will match for, one or more characters, anything except a "/"
([^\/]+)----- the rex matching should be put inside the flower bracket "( )".
([^\/]+)\/ --- the "\/" tells that, match till this "/". (it will match only AAAA or whatever before a first "/".)

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

Harishma
Communicator

Thankyuo so much 🙂 Got it ..

0 Karma

lakromani
Builder

I think you do not need to escape the / inside [], so this will work as well.

([^/]+)\/
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Within square brackets the '^' character means 'not'. Therefore, the regex matches at least one non-slash character followed by a slash.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Harishma
Communicator

Oh If thats the case , it should ignore AAAA and match /BBBB/CCCC/hhhh

(\/.+) would match like that right??

Whats the difference between this (\/.+) and ([^\/]+)\/

0 Karma

Richfez
SplunkTrust
SplunkTrust

You can see a lot of this at what I've saved on regex101.com

Bit by bit,

(\/.+)
\/ is an escape, forward slash. The escape says the forward slash isn't a control character, but that you instead actually want a literal forward slash. . matches any one character, and the following + says "One or more of whatever immediately preceded this". So, all together, it'll look for a forward slash then one or more "somethings" following it.

([^\/]+)\/
[^\/] says to match characters that are NOT a forward slash. [] is for a character set, but when the first character inside it is ^ it flips it to NOT that character set. Following that is + so take one or more of those. Finally, the trailing \/ says it should be followed by a forward slash.

Again the regex101 link above has this, and if you study the explanation on the left it should vaguely match what I just wrote. 🙂

Also note the parenthesis are just to group things.

Harishma
Communicator

Thankyuo so much 🙂 That helped..!!

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...