Re: REX Non-Capture Group

subtrakt · ‎03-28-2017

Hi Everyone,

Trying to understand non-capture groups better

Trying to build rex that captures 2 conditions but uses a non-capture for condition one.

Condition one (non capture): Non Capture Message= but capture everything after (Message=)

Condition two: Everything after (:\d:)

Here's what I ended up with but "Message" still shows up in the results:

    | rex "(?i)(?P<TEST>((:\d:)|(?:(Message\=)))[^\$]*)"

woodcock · ‎03-28-2017

The main reason to have a non-capture group is because you need to do something to that thing as a group of text but not put it into a field. For example, in a CSV, to grab the 30th thing, you might use this:

| rex "^(?:[^,]*,){29}(?<csv30>[^,]*)"

So because I needed to skip 29 of the same thing, I put that thing (a CSV field plus the delimiting comma) into a (non-capturing) group and applied the multiplier {29}. Then I capture the next thing and name it.

So is your question truly academic or are you trying to do something with some data? If you are trying to do something, then show us the sample event data and describe what fields that you would like to create and we can help some more.

REX Non-Capture Group

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

REX Non-Capture Group

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey