Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex quantifier: why is the result of this regex is 'arn' only?

brdr
Contributor
‎05-25-2018 08:08 AM

I apologize ahead for this as this is a regex question - one that I have struggled with.

| makeresults 
| eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
| rex field=ARN "^(?<r_arn>[^:{2}]*)"
| table r_arn

I don't understand why the result of this regex is 'arn' only. I am trying to capture everything up until '::' but it is only capturing up to the first ':'

Any help would be most appreciative. Thank you.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎05-25-2018 08:51 AM

hello there,

the regex tool explains it better than i do:
https://regex101.com/r/HRtqyC/1

try this search:

| makeresults 
 | eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
 | rex field=ARN "^(?<r_arn>[^.]*)\:\:"
 | table r_arn

hope it helps

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎05-25-2018 08:52 AM

@brdr, can you try the following?

 | makeresults 
 | eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
 | rex field=ARN "^(?<r_arn>[^:]+:[^:]+:[^:]+):"
 | table r_arn ARN
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

brdr
Contributor
‎05-25-2018 09:05 AM

thanks @niketnilay... this would work but the string before the '::' can have varying number of ':'. I appreciated your help 🙂

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-25-2018 09:15 AM

Sure makes sense! Glad that you found a working answer 🙂 regex101 is a great tool to apply/test and understand your regular expression. So keep it handy!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

brdr
Contributor
‎05-25-2018 10:17 AM

Got it.
I spent a good amount of time in regex101 before posting to Splunk Answers. I always try to figure things out, only using Answers when absolutely necessary.

Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎05-25-2018 08:51 AM

hello there,

the regex tool explains it better than i do:
https://regex101.com/r/HRtqyC/1

try this search:

| makeresults 
 | eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
 | rex field=ARN "^(?<r_arn>[^.]*)\:\:"
 | table r_arn

hope it helps

Reply
Solved! Jump to solution

brdr
Contributor
‎05-25-2018 09:04 AM

that worked! thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...