Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex matching in search when it doesn't in regex creator

beaunewcomb
Communicator
‎07-19-2012 11:49 AM

This regex is actually a lot longer, and obviously the events are too, but here's what appears to be happening. I want data out of paranthesis in the format below, EXCEPT for when the word in front of the paren is "trans" like below. So I'm using ^ to specify what I don't want to match. It appears to work fine in the regex builder, but when I search for object=* I'm getting the objects after trans as well.

I wrote in additional regex to try to filter anything with just numbers, but that shows the same behavior. Is it something with ^ ?

mq-qm(QMNGRBKUP_01)

trans(30251343)

[^trans][\w'-]+((?P[^0-9][\w'-]+)

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎07-19-2012 12:00 PM

Brackets in regexes denote a range of characters, and the ^ character within brackets negate the match. So [^trans] does NOT perform a negated match on the string "trans", rather it matches one of the characters t, r, a, n and s. To do that kind of match you need a negative lookbehind (http://www.regular-expressions.info/lookaround.html ).

(?<!trans)[\w'-]+\((?P<object>[^0-9][\w'-]+)

I still think it shouldn't be matching anyway though, because [^trans] will match on the last s in the word...

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎07-19-2012 12:00 PM

Brackets in regexes denote a range of characters, and the ^ character within brackets negate the match. So [^trans] does NOT perform a negated match on the string "trans", rather it matches one of the characters t, r, a, n and s. To do that kind of match you need a negative lookbehind (http://www.regular-expressions.info/lookaround.html ).

(?<!trans)[\w'-]+\((?P<object>[^0-9][\w'-]+)

I still think it shouldn't be matching anyway though, because [^trans] will match on the last s in the word...

Reply
Solved! Jump to solution

beaunewcomb
Communicator
‎07-19-2012 12:19 PM

Thank you for the insight. you're right on both accounts... where I messed up was I had a different extraction for trans which was setting as well.

So now I also know how to use multiple regexes for one field 😛

Thanks again for your expertise

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...