Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Regex search not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I have a couple of lines that I am trying to get info out of using regex and it's not going quite the way I was hoping. Say in my events I have the lines below
1.) \Device\HarddiskVolume23\Test1
2.) \Device\HarddiskVolume23\Test1\Test
3.) \Device\HarddiskVolume23\Test1\Test\Test1
What I am looking to get is the results that would just be the root directories ( \Device\HarddiskVolume23\Test1 ). So I'm trying to set up a regex that does just that, but I'm not having the best of luck.
If I do the following, I will get the results 1 and 3 above.
regex Object_Name="Test1$"
I was trying to set up the search so it would go:
regex Object_Name="HarddiskVolume\d\\d\\Test1$"
That doesn't return any results. Even if I used:
regex Object_Name="HarddiskVolume23\\Test1$"
I do not get any results.
I have multiple different paths to get this to search for, so that is why I would like to use as many regex variables as I can.
So what can I do to get this to work properly?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works fine for me. (comes with run anywhere example with your sample data)
| gentimes start=-1 | eval temp="\Device\HarddiskVolume23\Test1 \Device\HarddiskVolume23\Test1\Test \Device\HarddiskVolume23\Test1\Test\Test1" | makemv temp| table temp | mvexpand temp | regex temp="HarddiskVolume\d+\\\Test1$"
You're almost there, just missing additional backslash
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This regex statement will match all three lines assuming each lines begins with a backslash.
^(\\[^\\]+){3}
In SPL it would look like:
...| rex field=_raw "^(?<myfield>(\\[^\\]+){3})"
or
...| rex field=_raw "^(?<myfield>(\\[^\\]+){3})" max_match=0 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works fine for me. (comes with run anywhere example with your sample data)
| gentimes start=-1 | eval temp="\Device\HarddiskVolume23\Test1 \Device\HarddiskVolume23\Test1\Test \Device\HarddiskVolume23\Test1\Test\Test1" | makemv temp| table temp | mvexpand temp | regex temp="HarddiskVolume\d+\\\Test1$"
You're almost there, just missing additional backslash
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works with your sample data. Because SPL and the regex engine both use backslash as an escape character, you have to use 4 backslashes to match a backslash.
regex Object_Name="\\\\\w+?\\\\\w+?\\\\\w+"
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is the event isnt always \device\volume\name. There are other events logged that have other paths that I am not concerned about.
When I try the regex Object_Name="\\\\\w+?\\\\\w+?\\\\\w+" it returns all results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi dmittel,
if the the events always have the same pattern like \device\volume\name you can use this little regex:
\\\w+\\\w+\\\w+
which will get \Device\HarddiskVolume23\Test1 from all provided examples.
Hope this helps ...
cheers, MuS
Application management with Targeted Application Install for Victoria Experience
Index This | What goes up and never comes down?
Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination
