Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex help! (easy one)

beaunewcomb
Communicator
‎07-17-2012 02:11 PM

I need to extract fields from a set of results with inconsistent formatting. I think this would be easy for a regex pro.

Here are two events:

Jul 17 15:44:01 hostname 192.168.0.1 [st2-b3-inter-d005][system][error] trans(119657588)[192.168.0.2]: Unable to open URL

Jul 17 15:44:01 hostname 192.168.0.1 [network][error] trans(2064751791): Host connection could not be established

I need multiple extractions for the data within the first set of brackets (separated by the dash) in event 1. You'll see that event 2 doesn't contain this type of data at all.

Basically I need a regex that says "Match everything between the first [ and first - but not if there are more than 3 characters before the -"

I'm basically a regex noob!

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎07-17-2012 02:20 PM

This should do it:

\[([^-]{0,3})-

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎07-17-2012 02:20 PM

This should do it:

\[([^-]{0,3})-
Reply
Solved! Jump to solution

beaunewcomb
Communicator
‎07-17-2012 03:24 PM

Hahah you helped me!

You rock.. thanks a lot. I need to get this regex stuff down.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-17-2012 02:36 PM

I did nothing to you! 😉

No, sure. The regex first looks for the opening bracket, which has to be escaped because [ is a special character in regexes otherwise.

\[

Then the matching starts. We're looking for characters that are NOT the dash sign.

\[([^-]

Match if we find at least 0 and at most 3 non-dash characters.

\[([^-]{0,3}

End our matching group, and only match if this is immediately followed by a dash sign.

\[([^-]{0,3})-

I hope that sheds some light on how the regex is built step by step.

Reply
Solved! Jump to solution

beaunewcomb
Communicator
‎07-17-2012 02:30 PM

Is there any way you could explain what you did to me? Because I have to build extractions for the data in the separate sections (separated by -) in that bracket.

Awesome, fast answer btw.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-17-2012 02:24 PM

The field extractor wants a named extraction for FIELDNAME if I remember correctly, so:

\[(?P<FIELDNAME>[^-]{0,3})-
Reply
Solved! Jump to solution

beaunewcomb
Communicator
‎07-17-2012 02:23 PM

Wow, fast response! How would I use that in the field extractor?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...