Solved: Re: Regular expression is not working properly.. P...

rajim · ‎03-06-2018

I need to have the first qualifier of a FQDN string. I have used the below mentioned query to do so. But it's not recognizing the ".". Could anyone please help me out here.

index=myindex_glbl 
| rex field=Domain "^(?<Territory>.*)\."
| dedup Domain
| table Domain Territory

Here is the sample output:

Domain  Territory
us.nam.ad.xyz.com   us.nam.ad.xyz
crb.nam.ad.xyz.com  crb.nam.ad.xyz

This is very strange behaviour. Can anybody suggest why this is happening?

493669 · ‎03-06-2018

Try this regex:

| rex field=Domain "^(?<Territory>[^\.]+)"

below regex will check till it found last "." instead of first while above regex will find first "."

| rex field=Domain "^(?<Territory>.*)\."

View solution in original post

493669 · ‎03-06-2018

Try this regex:

| rex field=Domain "^(?<Territory>[^\.]+)"

below regex will check till it found last "." instead of first while above regex will find first "."

| rex field=Domain "^(?<Territory>.*)\."

rajim · ‎03-07-2018

Thanks .. It's working... so if the delimiter character is mentioned after the ")", then it'll search for last occurance, right?

493669 · ‎03-07-2018

not only when it is mentioned after ")" if you try | rex field=Domain "^(?<Territory>.*\.)" then also it will search for last occurance.

rajim · ‎03-07-2018

got it .. thnks.

Regular expression is not working properly.. Please suggest

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025

Are you a member of the Splunk Community?

Regular expression is not working properly.. Please suggest

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025