I am looking for a complete tutorial on regular expressions in splunk. A tutorial that will be able to teach from the very start of using regular expressions and searching with them.
Please help and let me know where i can find a tutorial like this? I am using a MacBook Air laptop.
Thank you in advance
For regular expressions, you don't need a tutorial - you need to do it. But to help you do it, there is regex101.com with syntax highlighting, explanations for every part of your expression, and a quick reference for available expressions.
In my experience, regex is strictly learning by doing.
I disagree - they're asking for something pretty specific: "A tutorial that will be able to teach from the very start of using regular expressions and searching with them." I think I understand your point (and partially agree), but its sort of like someone saying they want to learn how to shell script and you just tell them to man everything and have fun. I also really hope someone tell me that is how they learned haha.
Ok, maybe saying it is "strictly" learning by doing is a bit harsh. I should've explained that after you've grasped the general concept of regular expressions, it is most helpful to have a look at some existing regular expressions with regex101.com (or any other site of that kind) - of course starting from blank there is hard.
@andrewdore, do read @jeffland's comment as well. regex101.com site towards bottom right has
QUICK REFERENCE with common regex expressions and their meaning.
There are few
FLAVORS of Regular Expressions. 99% of case Splunk uses PCRE() Regular Expression type which is on Top Left (selected by default).
Once you have your TEST STRING (sample data) for Regex pattern matching and start typing out your Regular Expression EXPLANATION and MATCH INFORMATION section on right provide you with the plain English explanation of what regular expression is doing and what pattern has matched.
In the Regular Expression Text field there is also Regex Flag selection which gives you information on what they do. Few of them like
s are important in Splunk based on use case.
While regex101.com is simple crisp repository of everything you might need for Regular Expression in one page, do check out Splunk .conf session on
Beyond Regular Regular Expressions by @cpetterborg 's (he's at BOSS level for Regular Expressions :)) http://conf.splunk.com/sessions/2017-sessions.html#search=Beyond%20REGULAR%20Regular%20Expressions&
Thatnks for the .conf session suggestion. Update for anyone who still wants to see it. The link is now @ https://conf.splunk.com/files/2017/recordings/beyond-regular-regular-expressions-v2-point-0.mp4