Splunk Search

Regex quantifier: why is the result of this regex is 'arn' only?

Contributor

I apologize ahead for this as this is a regex question - one that I have struggled with.

| makeresults 
| eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
| rex field=ARN "^(?<r_arn>[^:{2}]*)"
| table r_arn

I don't understand why the result of this regex is 'arn' only. I am trying to capture everything up until '::' but it is only capturing up to the first ':'

Any help would be most appreciative. Thank you.

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

hello there,

the regex tool explains it better than i do:
https://regex101.com/r/HRtqyC/1

try this search:

| makeresults 
 | eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
 | rex field=ARN "^(?<r_arn>[^.]*)\:\:"
 | table r_arn

hope it helps

View solution in original post

Legend

@brdr, can you try the following?

 | makeresults 
 | eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
 | rex field=ARN "^(?<r_arn>[^:]+:[^:]+:[^:]+):"
 | table r_arn ARN
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Contributor

thanks @niketnilay... this would work but the string before the '::' can have varying number of ':'. I appreciated your help 🙂

0 Karma

Legend

Sure makes sense! Glad that you found a working answer 🙂 regex101 is a great tool to apply/test and understand your regular expression. So keep it handy!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Contributor

Got it.
I spent a good amount of time in regex101 before posting to Splunk Answers. I always try to figure things out, only using Answers when absolutely necessary.

SplunkTrust
SplunkTrust

hello there,

the regex tool explains it better than i do:
https://regex101.com/r/HRtqyC/1

try this search:

| makeresults 
 | eval ARN="arn:aws-us-gov:iam::123456789:user/Administrator"
 | rex field=ARN "^(?<r_arn>[^.]*)\:\:"
 | table r_arn

hope it helps

View solution in original post

Contributor

that worked! thank you.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!