Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex quantifier: why is the result of this regex is 'arn' only?

brdr
Contributor
‎05-25-2018 08:08 AM

I apologize ahead for this as this is a regex question - one that I have struggled with.

| makeresults 
| eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
| rex field=ARN "^(?<r_arn>[^:{2}]*)"
| table r_arn

I don't understand why the result of this regex is 'arn' only. I am trying to capture everything up until '::' but it is only capturing up to the first ':'

Any help would be most appreciative. Thank you.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎05-25-2018 08:51 AM

hello there,

the regex tool explains it better than i do:
https://regex101.com/r/HRtqyC/1

try this search:

| makeresults 
 | eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
 | rex field=ARN "^(?<r_arn>[^.]*)\:\:"
 | table r_arn

hope it helps

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎05-25-2018 08:52 AM

@brdr, can you try the following?

 | makeresults 
 | eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
 | rex field=ARN "^(?<r_arn>[^:]+:[^:]+:[^:]+):"
 | table r_arn ARN
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

brdr
Contributor
‎05-25-2018 09:05 AM

thanks @niketnilay... this would work but the string before the '::' can have varying number of ':'. I appreciated your help 🙂

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-25-2018 09:15 AM

Sure makes sense! Glad that you found a working answer 🙂 regex101 is a great tool to apply/test and understand your regular expression. So keep it handy!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

brdr
Contributor
‎05-25-2018 10:17 AM

Got it.
I spent a good amount of time in regex101 before posting to Splunk Answers. I always try to figure things out, only using Answers when absolutely necessary.

Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎05-25-2018 08:51 AM

hello there,

the regex tool explains it better than i do:
https://regex101.com/r/HRtqyC/1

try this search:

| makeresults 
 | eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
 | rex field=ARN "^(?<r_arn>[^.]*)\:\:"
 | table r_arn

hope it helps

Reply
Solved! Jump to solution

brdr
Contributor
‎05-25-2018 09:04 AM

that worked! thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...