Splunk Search

Regex search not working

dmittel
Engager

So I have a couple of lines that I am trying to get info out of using regex and it's not going quite the way I was hoping. Say in my events I have the lines below

1.) \Device\HarddiskVolume23\Test1
2.) \Device\HarddiskVolume23\Test1\Test
3.) \Device\HarddiskVolume23\Test1\Test\Test1

What I am looking to get is the results that would just be the root directories ( \Device\HarddiskVolume23\Test1 ). So I'm trying to set up a regex that does just that, but I'm not having the best of luck.

If I do the following, I will get the results 1 and 3 above.

regex Object_Name="Test1$" 

I was trying to set up the search so it would go:

regex Object_Name="HarddiskVolume\d\\d\\Test1$"

That doesn't return any results. Even if I used:

regex Object_Name="HarddiskVolume23\\Test1$"

I do not get any results.

I have multiple different paths to get this to search for, so that is why I would like to use as many regex variables as I can.

So what can I do to get this to work properly?

Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

This works fine for me. (comes with run anywhere example with your sample data)

| gentimes start=-1 | eval temp="\Device\HarddiskVolume23\Test1 \Device\HarddiskVolume23\Test1\Test \Device\HarddiskVolume23\Test1\Test\Test1" | makemv temp| table temp | mvexpand temp | regex temp="HarddiskVolume\d+\\\Test1$"

You're almost there, just missing additional backslash

View solution in original post

bmacias84
Champion

This regex statement will match all three lines assuming each lines begins with a backslash.

^(\\[^\\]+){3}

In SPL it would look like:

...| rex field=_raw "^(?<myfield>(\\[^\\]+){3})"
or 
...| rex field=_raw "^(?<myfield>(\\[^\\]+){3})" max_match=0 | 
0 Karma

somesoni2
SplunkTrust
SplunkTrust

This works fine for me. (comes with run anywhere example with your sample data)

| gentimes start=-1 | eval temp="\Device\HarddiskVolume23\Test1 \Device\HarddiskVolume23\Test1\Test \Device\HarddiskVolume23\Test1\Test\Test1" | makemv temp| table temp | mvexpand temp | regex temp="HarddiskVolume\d+\\\Test1$"

You're almost there, just missing additional backslash

richgalloway
SplunkTrust
SplunkTrust

This works with your sample data. Because SPL and the regex engine both use backslash as an escape character, you have to use 4 backslashes to match a backslash.

regex Object_Name="\\\\\w+?\\\\\w+?\\\\\w+"
---
If this reply helps you, Karma would be appreciated.
0 Karma

dmittel
Engager

The problem is the event isnt always \device\volume\name. There are other events logged that have other paths that I am not concerned about.

When I try the regex Object_Name="\\\\\w+?\\\\\w+?\\\\\w+" it returns all results

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi dmittel,

if the the events always have the same pattern like \device\volume\name you can use this little regex:

 \\\w+\\\w+\\\w+

which will get \Device\HarddiskVolume23\Test1 from all provided examples.

Hope this helps ...

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...