Solved: Regex search not working

dmittel · ‎01-28-2016

So I have a couple of lines that I am trying to get info out of using regex and it's not going quite the way I was hoping. Say in my events I have the lines below

1.) \Device\HarddiskVolume23\Test1
2.) \Device\HarddiskVolume23\Test1\Test
3.) \Device\HarddiskVolume23\Test1\Test\Test1

What I am looking to get is the results that would just be the root directories ( \Device\HarddiskVolume23\Test1 ). So I'm trying to set up a regex that does just that, but I'm not having the best of luck.

If I do the following, I will get the results 1 and 3 above.

regex Object_Name="Test1$"

I was trying to set up the search so it would go:

regex Object_Name="HarddiskVolume\d\\d\\Test1$"

That doesn't return any results. Even if I used:

regex Object_Name="HarddiskVolume23\\Test1$"

I do not get any results.

I have multiple different paths to get this to search for, so that is why I would like to use as many regex variables as I can.

So what can I do to get this to work properly?

somesoni2 · ‎01-28-2016

This works fine for me. (comes with run anywhere example with your sample data)

| gentimes start=-1 | eval temp="\Device\HarddiskVolume23\Test1 \Device\HarddiskVolume23\Test1\Test \Device\HarddiskVolume23\Test1\Test\Test1" | makemv temp| table temp | mvexpand temp | regex temp="HarddiskVolume\d+\\\Test1$"

You're almost there, just missing additional backslash

View solution in original post

bmacias84 · ‎01-28-2016

This regex statement will match all three lines assuming each lines begins with a backslash.

^(\\[^\\]+){3}

In SPL it would look like:

...| rex field=_raw "^(?<myfield>(\\[^\\]+){3})"
or 
...| rex field=_raw "^(?<myfield>(\\[^\\]+){3})" max_match=0 |

somesoni2 · ‎01-28-2016

This works fine for me. (comes with run anywhere example with your sample data)

| gentimes start=-1 | eval temp="\Device\HarddiskVolume23\Test1 \Device\HarddiskVolume23\Test1\Test \Device\HarddiskVolume23\Test1\Test\Test1" | makemv temp| table temp | mvexpand temp | regex temp="HarddiskVolume\d+\\\Test1$"

You're almost there, just missing additional backslash

richgalloway · ‎01-28-2016

This works with your sample data. Because SPL and the regex engine both use backslash as an escape character, you have to use 4 backslashes to match a backslash.

regex Object_Name="\\\\\w+?\\\\\w+?\\\\\w+"

---
If this reply helps you, Karma would be appreciated.

dmittel · ‎01-28-2016

The problem is the event isnt always \device\volume\name. There are other events logged that have other paths that I am not concerned about.

When I try the regex Object_Name="\\\\\w+?\\\\\w+?\\\\\w+" it returns all results

MuS · ‎01-28-2016

Hi dmittel,

if the the events always have the same pattern like \device\volume\name you can use this little regex:

 \\\w+\\\w+\\\w+

which will get \Device\HarddiskVolume23\Test1 from all provided examples.

Hope this helps ...

cheers, MuS

Regex search not working

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Join the Conversation