Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex Help

darkins
Engager
‎10-01-2024 04:02 PM

probably a basic question

i have the following data 

600 reason

and this rex

(?<MetricValue>([^\s))]+))(?<Reason>([^:|^R]+))

what i am getting is 60 in Metric Value and 0 in Reason

i presume that is due to the match being up to the next NOT space, thus metric value is 60 and 0 remains in the data for Reason

what is the right way to do this such that i get value = 600 and reason = reason

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-01-2024 05:06 PM

Given the complexity of the regex, I suspect the sample event may be over-simplified.  However, if it's a matter of the value field is an integer followed by a space then everything goes into the reason field then this rex command will do.

| rex "(?<MetricValue>\d+)\s(?<Reason>.*)"

 

---
If this reply helps you, Karma would be appreciated.
Reply

dural_yyz
Builder
‎10-01-2024 05:03 PM

Actually most of your problem is coming from multiple capture groups inside a capture group designated by each "()" pairing.

 

| makeresults format=csv data="sample
600 reason and more:then what
701 code practice Reason
899 something
104 this
12 nothing"
| rex field=sample "^(?<Metric>[^\s]+)\s(?<Reason>[^:|^R]+).*$"
| table sample Metric Reason

 

You can see in my example that after the <field> I did not nest additional capture group designations such as what you were using.  The above generates some random data which I hope fits your use case but you provided minimal examples so I made assumptions.  The rex as coded would with draw the information you are looking for assuming that the Metric is the first one the line or field and following that is the Reason with your indicated cut off characters or end of line like I indicated.  Feel free to remove the indicators for beginning of line and end of line if they don't fit your data.

Here is the output I get.

sampleMetricReason
600 reason and more:then what600reason and more
701 code practice Reason701code practice
899 something899something
104 this104this
12 nothing12nothing

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...