Re: REX Non-Capture Group

subtrakt · ‎03-28-2017

Hi Everyone,

Trying to understand non-capture groups better

Trying to build rex that captures 2 conditions but uses a non-capture for condition one.

Condition one (non capture): Non Capture Message= but capture everything after (Message=)

Condition two: Everything after (:\d:)

Here's what I ended up with but "Message" still shows up in the results:

    | rex "(?i)(?P<TEST>((:\d:)|(?:(Message\=)))[^\$]*)"

woodcock · ‎03-28-2017

The main reason to have a non-capture group is because you need to do something to that thing as a group of text but not put it into a field. For example, in a CSV, to grab the 30th thing, you might use this:

| rex "^(?:[^,]*,){29}(?<csv30>[^,]*)"

So because I needed to skip 29 of the same thing, I put that thing (a CSV field plus the delimiting comma) into a (non-capturing) group and applied the multiplier {29}. Then I capture the next thing and name it.

So is your question truly academic or are you trying to do something with some data? If you are trying to do something, then show us the sample event data and describe what fields that you would like to create and we can help some more.

REX Non-Capture Group

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation