Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex help

jboustead
Explorer
‎10-08-2020 03:21 AM

I am currently trying to use a regex to pick out the events with the date '2020XXXX' - I want the regex to search pick up any event date providing it does not have 'reg' following the '.' or '_' (pick out all the event dates below, except the first). How do I do this? 

Current regex: 2020\d{4}[\.\_]

List of different events\logs from the splunk search:

_20201007144100_20200416_reg.zip

_20201007103200_20201007.zip

_20201007095000_20201007.zip

_20201007092933_20201007.zip

_20201007061717_20201007_txn.zip

_20201007041719_20201007.zip

Labels (1)
Labels
0 Karma
Reply

FritzWittwer
Path Finder
‎10-08-2020 10:23 PM

^_2\d*_(2)(\d*)([_\.])(?!req).*zip$

Works for all dates before year 3000

0 Karma
Reply

jboustead
Explorer
‎10-08-2020 03:55 AM

Thank you for your quick response. Is it possible to expand that regex so that it picks up string without 'reg' following the '_' or '.'?

For example: 

So it would pick up:

_20201007103200_20201007.zip

but would not pick up:

_20201007144100_20200416_reg.zip

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-08-2020 04:00 AM

Hi @jboustead,

let me understand: do you want "_20201007103200_20201007.zip" and you want to exclude "_20201007144100_20200416_reg.zip", is it correct?

If this is your need, try this:

your_search
| regex "_2020\d{4}\.zip"
| ...

that you can test at https://regex101.com/r/g82uft/2

Ciao.

Giuseppe

 

 

 

0 Karma
Reply

jboustead
Explorer
‎10-08-2020 04:04 AM

That is correct, however - I am also wanting to include other strings such as: 

_20201007061717_20201007_txn.zip

_20201007092933_20201007_stl.zip

Basically to include any string that does not contain _reg after the date...

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-08-2020 11:16 PM

Hi @jboustead,

please try (like the one hinted by @FritzWittwer) someting like this:

 

your_search
| regex "_2020\d{4}([^\.]*)(?|reg)\.zip"
| ...

Ciao.

Giuseppe

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-08-2020 03:48 AM

Hi @jboustead,

try this regex

your_search
| regex "_2020\d{4}_|\."
| ...

that you can test at https://regex101.com/r/g82uft/1

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...