Splunk Search

Regex AND Operator

subtrakt
Contributor

I thought ?= acts like an AND operator.

Condition would be to capture words with >5 Upper-Case AND 4 Lower-Case and any other non-whitespace in the word.

Here's what i came up with - doesn't seem to work:
"s/(\S*[A-Z]{5,})(?=[a-z]{4,})\S*//g"

Would want it to capture strings like these:

  1. adsdkdkDKDKDdkd:djkDKDK
  2. ASaFaAdfkK-asdfoiA
  3. asdfASDFF

I realized this actually works but doesn't work on words with non-consecutive A-Z. Any idea how to make it work with non-consecutive A-Z?

TEST1 doesn't work (non-consecutive):
| makeresults | eval TEST="AAAaAAaaaassdjkd" | rex field=TEST max_match=0 "(?\S*([A-Z]{5,})(?=[a-z]{4,})\S*)"

TEST1 Does work (consecutive AAAAAaaaa)
| makeresults | eval TEST="AAAAAaaaassdjkd" | rex field=TEST max_match=0 "(?\S*([A-Z]{5,})(?=[a-z]{4,})\S*)"

Tags (2)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Using the positive lookahead approach, ((?=(?:\S*[A-Z]){5,})(?:\S*[a-z]){4,}\S*) will match both cases. The match itself says "any non-space followed by a lower-case letter, at least four times - followed by any non-space" while the positive lookahead first asserts "any non-space followed by an upper-case letter, at least five times", no need to assert the followed-by part here.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Using the positive lookahead approach, ((?=(?:\S*[A-Z]){5,})(?:\S*[a-z]){4,}\S*) will match both cases. The match itself says "any non-space followed by a lower-case letter, at least four times - followed by any non-space" while the positive lookahead first asserts "any non-space followed by an upper-case letter, at least five times", no need to assert the followed-by part here.

0 Karma

subtrakt
Contributor

Thanks Martin -

Came up with this solution as well but yours looks cleaner.

| makeresults | eval TEST="AAAaaAaaaa" | rex field=TEST max_match=0 "(?<TEST1>\S*(?=([a-z]*[A-Z]){4})(?=([A-Z]*[a-z]){6})[a-zA-Z]*\S*)"
0 Karma

subtrakt
Contributor

One question regarding your non-capture groups. Are those for efficiency? I realized i can take out the ?: and it still works.

0 Karma

mayurr98
Super Champion

Can you provide sample events and tell what do you want to extract it?
Also put the code in 10101 sample code format.

0 Karma

subtrakt
Contributor

"s/(\S*[A-Z]{5,})(?=[a-z]{4,})\S*//g"

I realized this actually works but doesn't work on words with non-consecutive A-Z. Any idea how to make it work with non-consecutive A-Z?

This would work AAAAAaaaassdjkd
This would not work AAaaAAaaaaasfd

0 Karma

subtrakt
Contributor

TEST1 doesn't work (non-consecutive):
| makeresults | eval TEST="AAAaAAaaaassdjkd" | rex field=TEST max_match=0 "(?\S*([A-Z]{5,})(?=[a-z]{4,})\S*)"

TEST1 Does work (consecutive)
| makeresults | eval TEST="AAAAAaaaassdjkd" | rex field=TEST max_match=0 "(?\S*([A-Z]{5,})(?=[a-z]{4,})\S*)"

0 Karma

ibob0304
Communicator

can you please provide the sample output too ? I couldn't get the >5 part

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...