Splunk Search

Regex help

jboustead
Explorer

I am currently trying to use a regex to pick out the events with the date '2020XXXX' - I want the regex to search pick up any event date providing it does not have 'reg' following the '.' or '_' (pick out all the event dates below, except the first). How do I do this? 

Current regex: 2020\d{4}[\.\_]

List of different events\logs from the splunk search:

_20201007144100_20200416_reg.zip

_20201007103200_20201007.zip

_20201007095000_20201007.zip

_20201007092933_20201007.zip

_20201007061717_20201007_txn.zip

_20201007041719_20201007.zip

Labels (1)
0 Karma

FritzWittwer
Path Finder

^_2\d*_(2)(\d*)([_\.])(?!req).*zip$

Works for all dates before year 3000

0 Karma

jboustead
Explorer

Thank you for your quick response. Is it possible to expand that regex so that it picks up string without 'reg' following the '_' or '.'?

For example: 

So it would pick up:

_20201007103200_20201007.zip

but would not pick up:

_20201007144100_20200416_reg.zip

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jboustead,

let me understand: do you want "_20201007103200_20201007.zip" and you want to exclude "_20201007144100_20200416_reg.zip", is it correct?

If this is your need, try this:

your_search
| regex "_2020\d{4}\.zip"
| ...

that you can test at https://regex101.com/r/g82uft/2

Ciao.

Giuseppe

 

 

 

0 Karma

jboustead
Explorer

That is correct, however - I am also wanting to include other strings such as: 

_20201007061717_20201007_txn.zip

_20201007092933_20201007_stl.zip

Basically to include any string that does not contain _reg after the date...

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jboustead,

please try (like the one hinted by @FritzWittwer) someting like this:

 

your_search
| regex "_2020\d{4}([^\.]*)(?|reg)\.zip"
| ...

Ciao.

Giuseppe

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jboustead,

try this regex

your_search
| regex "_2020\d{4}_|\."
| ...

that you can test at https://regex101.com/r/g82uft/1

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...