Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

REX command: something or something or nothing

willial
Communicator
‎02-26-2014 12:30 PM

Here's my rex:

rex max_match=0 "(MSM-\w+\s+(?<slotMSM>\w+)\s+|MM-\w+\s+(?<slotMM>\w+)\s+|Slot-\d+\s+(?<slotNum>\d+)\s+|)OtherStuffAndsoOn"

This is at the front of a longer bit of rex, so basically a line could start with MSM-A or MM-A or Slot-1, or it could just start at the "OtherStuffAndSoOn" part where there's additional rex that's working fine. I'm trying to accomplish this by ending the first set of OR statements with |), indicating that I'd like it to consider "or none of these."

The problem is that it will pick up lines that start with MSM or MM or Slot, but won't pick up the ones that don't. The |) bit appears to do nothing.

I need to keep it max_match=0 as one log could contain any number of lines (in any of the above configurations) that need to be extracted.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎02-26-2014 12:53 PM

You can probably achieve what you want by putting a '?' or '*' after your whole regex. Both these will make the preceding match optional.

http://www.regular-expressions.info/optional.html

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎02-26-2014 12:53 PM

You can probably achieve what you want by putting a '?' or '*' after your whole regex. Both these will make the preceding match optional.

http://www.regular-expressions.info/optional.html

Reply
Solved! Jump to solution

willial
Communicator
‎02-28-2014 10:34 AM

I discovered that the problem was actually in an eval/mvzip later in the search coming up blank due to the above rex being empty, and requiring an if isnotnull to suss out whether or not it should be zipped, followed by the zip extraction requiring an OR to cover the possibility of there being nothing to extract there.

Either way, this answer works. Also, the (blah\blah\blah|) construction appears to work fine. Everything works, just not my brain. Thanks!

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-26-2014 01:39 PM

like this
rex max_match=0 "(MSM-\w+\s+(?\w+)\s+|MM-\w+\s+(?\w+)\s+|Slot-\d+\s+(?\d+)\s+)*OtherStuffAndsoOn"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...