- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Regex quantifier: why is the result of this re...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I apologize ahead for this as this is a regex question - one that I have struggled with.
| makeresults
| eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
| rex field=ARN "^(?<r_arn>[^:{2}]*)"
| table r_arn
I don't understand why the result of this regex is 'arn' only. I am trying to capture everything up until '::' but it is only capturing up to the first ':'
Any help would be most appreciative. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
the regex tool explains it better than i do:
https://regex101.com/r/HRtqyC/1
try this search:
| makeresults
| eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
| rex field=ARN "^(?<r_arn>[^.]*)\:\:"
| table r_arn
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@brdr, can you try the following?
| makeresults
| eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
| rex field=ARN "^(?<r_arn>[^:]+:[^:]+:[^:]+):"
| table r_arn ARN
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks @niketnilay... this would work but the string before the '::' can have varying number of ':'. I appreciated your help 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure makes sense! Glad that you found a working answer 🙂 regex101 is a great tool to apply/test and understand your regular expression. So keep it handy!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it.
I spent a good amount of time in regex101 before posting to Splunk Answers. I always try to figure things out, only using Answers when absolutely necessary.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
the regex tool explains it better than i do:
https://regex101.com/r/HRtqyC/1
try this search:
| makeresults
| eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
| rex field=ARN "^(?<r_arn>[^.]*)\:\:"
| table r_arn
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that worked! thank you.
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
