Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex matching in search when it doesn't in regex creator

beaunewcomb
Communicator
‎07-19-2012 11:49 AM

This regex is actually a lot longer, and obviously the events are too, but here's what appears to be happening. I want data out of paranthesis in the format below, EXCEPT for when the word in front of the paren is "trans" like below. So I'm using ^ to specify what I don't want to match. It appears to work fine in the regex builder, but when I search for object=* I'm getting the objects after trans as well.

I wrote in additional regex to try to filter anything with just numbers, but that shows the same behavior. Is it something with ^ ?

mq-qm(QMNGRBKUP_01)

trans(30251343)

[^trans][\w'-]+((?P[^0-9][\w'-]+)

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎07-19-2012 12:00 PM

Brackets in regexes denote a range of characters, and the ^ character within brackets negate the match. So [^trans] does NOT perform a negated match on the string "trans", rather it matches one of the characters t, r, a, n and s. To do that kind of match you need a negative lookbehind (http://www.regular-expressions.info/lookaround.html ).

(?<!trans)[\w'-]+\((?P<object>[^0-9][\w'-]+)

I still think it shouldn't be matching anyway though, because [^trans] will match on the last s in the word...

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎07-19-2012 12:00 PM

Brackets in regexes denote a range of characters, and the ^ character within brackets negate the match. So [^trans] does NOT perform a negated match on the string "trans", rather it matches one of the characters t, r, a, n and s. To do that kind of match you need a negative lookbehind (http://www.regular-expressions.info/lookaround.html ).

(?<!trans)[\w'-]+\((?P<object>[^0-9][\w'-]+)

I still think it shouldn't be matching anyway though, because [^trans] will match on the last s in the word...

Reply
Solved! Jump to solution

beaunewcomb
Communicator
‎07-19-2012 12:19 PM

Thank you for the insight. you're right on both accounts... where I messed up was I had a different extraction for trans which was setting as well.

So now I also know how to use multiple regexes for one field 😛

Thanks again for your expertise

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...