Re: REX Non-Capture Group

subtrakt · ‎03-28-2017

Hi Everyone,

Trying to understand non-capture groups better

Trying to build rex that captures 2 conditions but uses a non-capture for condition one.

Condition one (non capture): Non Capture Message= but capture everything after (Message=)

Condition two: Everything after (:\d:)

Here's what I ended up with but "Message" still shows up in the results:

    | rex "(?i)(?P<TEST>((:\d:)|(?:(Message\=)))[^\$]*)"

woodcock · ‎03-28-2017

The main reason to have a non-capture group is because you need to do something to that thing as a group of text but not put it into a field. For example, in a CSV, to grab the 30th thing, you might use this:

| rex "^(?:[^,]*,){29}(?<csv30>[^,]*)"

So because I needed to skip 29 of the same thing, I put that thing (a CSV field plus the delimiting comma) into a (non-capturing) group and applied the multiplier {29}. Then I capture the next thing and name it.

So is your question truly academic or are you trying to do something with some data? If you are trying to do something, then show us the sample event data and describe what fields that you would like to create and we can help some more.

REX Non-Capture Group

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation