Splunk Search

Regular Expressions Tutorial

Joannelr
Explorer

I am looking for a complete tutorial on regular expressions in splunk. A tutorial that will be able to teach from the very start of using regular expressions and searching with them.

Please help and let me know where i can find a tutorial like this? I am using a MacBook Air laptop.

Thank you in advance

Tags (1)

pal_sumit1
Path Finder

Hi ,
First go through this link ; https://regexone.com/
It will give you basic understanding about what variables we can use while writing regex.

When you finished the above tutorial then go through below link :
https://www.regular-expressions.info/nonprint.html

They have explained everything in detailed manner.

After that just practice as much as you can by taking sample events in below link:
https://regex101.com/

0 Karma

gururaja0
New Member

Hi

I wnts to extract the particular string from the filed."oozie:action:T=abcd:A=insert:ID=1234-567-oozie-oozi-W\" from this field I wants to extract the values after ID= means "1234-567-oozie-oozi-W\".,Hi
i want to split the number value from below string

oozie:action:T=abc:A=insert:ID=123-45678:oozie:ooz-W. Iwants to extract the value 123-45678:oozie:ooz-W.can some one help me .

Thanks
Raj

0 Karma

wpreston
Motivator

I started off with regex and Splunk by watching some of Michael Wilde's videos over at http://splunkninja.ning.com/

I couldn't download any of the programs either, so I used an online regex tool that let me paste in my own sample data to search against: https://regex101.com/ and used http://www.regular-expressions.info/ for reference.

It really was a bunch of experimentation after that. I had quite a few scenarios where I needed regular expressions and working through them helped me learn. Good luck!

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

RegexOne - Learn Regular Expression with simple, interactive examples !

jeffland
SplunkTrust
SplunkTrust

Indeed a good place to start.

0 Karma

raj_mpl
Path Finder

Good Place to start with regex

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Actually, this is a very good tutorial (introduction) to regex in the context of Splunk:

http://blogs.splunk.com/2008/10/22/all-my-regexs-live-in-texas/

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

MichaelPriest
Communicator

Another great site is http://www.regular-expressions.info/

0 Karma

Joannelr
Explorer

I've had a look at that site a few times, however, I cannot download the programs mentioned there as they run on Windows and I'm using Apple...

0 Karma

jeffland
SplunkTrust
SplunkTrust

For regular expressions, you don't need a tutorial - you need to do it. But to help you do it, there is regex101.com with syntax highlighting, explanations for every part of your expression, and a quick reference for available expressions.

In my experience, regex is strictly learning by doing.

andrewdore
Explorer

I agree with aljohnson. there should at least be a guide for what certain things do so you can learn to use them together.

0 Karma

niketn
Legend

@andrewdore, do read @jeffland's comment as well. regex101.com site towards bottom right has QUICK REFERENCE with common regex expressions and their meaning.

There are few FLAVORS of Regular Expressions. 99% of case Splunk uses PCRE() Regular Expression type which is on Top Left (selected by default).

Once you have your TEST STRING (sample data) for Regex pattern matching and start typing out your Regular Expression EXPLANATION and MATCH INFORMATION section on right provide you with the plain English explanation of what regular expression is doing and what pattern has matched.

In the Regular Expression Text field there is also Regex Flag selection which gives you information on what they do. Few of them like m and s are important in Splunk based on use case.

While regex101.com is simple crisp repository of everything you might need for Regular Expression in one page, do check out Splunk .conf session on Beyond Regular Regular Expressions by @cpetterborg 's (he's at BOSS level for Regular Expressions :)) http://conf.splunk.com/sessions/2017-sessions.html#search=Beyond%20REGULAR%20Regular%20Expressions&

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

joshualemoine
Path Finder

Thatnks for the .conf session suggestion. Update for anyone who still wants to see it. The link is now @ https://conf.splunk.com/files/2017/recordings/beyond-regular-regular-expressions-v2-point-0.mp4

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

I disagree - they're asking for something pretty specific: "A tutorial that will be able to teach from the very start of using regular expressions and searching with them." I think I understand your point (and partially agree), but its sort of like someone saying they want to learn how to shell script and you just tell them to man everything and have fun. I also really hope someone tell me that is how they learned haha.

jeffland
SplunkTrust
SplunkTrust

Ok, maybe saying it is "strictly" learning by doing is a bit harsh. I should've explained that after you've grasped the general concept of regular expressions, it is most helpful to have a look at some existing regular expressions with regex101.com (or any other site of that kind) - of course starting from blank there is hard.

yannK
Splunk Employee
Splunk Employee

this one is also quite complete
http://www.zytrax.com/tech/web/regex.htm

gyslainlatsa
Motivator
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...