Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex quantifier: why is the result of this regex is 'arn' only?

brdr
Contributor
‎05-25-2018 08:08 AM

I apologize ahead for this as this is a regex question - one that I have struggled with.

| makeresults 
| eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
| rex field=ARN "^(?<r_arn>[^:{2}]*)"
| table r_arn

I don't understand why the result of this regex is 'arn' only. I am trying to capture everything up until '::' but it is only capturing up to the first ':'

Any help would be most appreciative. Thank you.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎05-25-2018 08:51 AM

hello there,

the regex tool explains it better than i do:
https://regex101.com/r/HRtqyC/1

try this search:

| makeresults 
 | eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
 | rex field=ARN "^(?<r_arn>[^.]*)\:\:"
 | table r_arn

hope it helps

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎05-25-2018 08:52 AM

@brdr, can you try the following?

 | makeresults 
 | eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
 | rex field=ARN "^(?<r_arn>[^:]+:[^:]+:[^:]+):"
 | table r_arn ARN
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

brdr
Contributor
‎05-25-2018 09:05 AM

thanks @niketnilay... this would work but the string before the '::' can have varying number of ':'. I appreciated your help 🙂

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-25-2018 09:15 AM

Sure makes sense! Glad that you found a working answer 🙂 regex101 is a great tool to apply/test and understand your regular expression. So keep it handy!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

brdr
Contributor
‎05-25-2018 10:17 AM

Got it.
I spent a good amount of time in regex101 before posting to Splunk Answers. I always try to figure things out, only using Answers when absolutely necessary.

Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎05-25-2018 08:51 AM

hello there,

the regex tool explains it better than i do:
https://regex101.com/r/HRtqyC/1

try this search:

| makeresults 
 | eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
 | rex field=ARN "^(?<r_arn>[^.]*)\:\:"
 | table r_arn

hope it helps

Reply
Solved! Jump to solution

brdr
Contributor
‎05-25-2018 09:04 AM

that worked! thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...