Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are the regex equivalents of the wildcards ... and *?

hulahoop
Splunk Employee
Splunk Employee
‎02-19-2010 02:20 AM

In inputs.conf and props.conf, the wildcards ... and * are supported for use in the spec headers. What do they translate to in PCRE? This is useful to know because sometimes the resulting matches are confusing.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-19-2010 06:08 AM
  • ... (three periods) in source stanza headings is treated as .* in PCRE regex
  • * (asterisk) in source stanza headings is treated as [^/\\]* in PCRE regex
  • . (one period) in stanza headings is treated as \.
  • Note that all other PCRE syntax is also valid
  • Note that the expression must match the entire path. In regex terms, the expression has an implicit ^ at the beginning and an implicit $ at the end, and that must match the source value.

View solution in original post

Reply
Solved! Jump to solution

Lowell
Super Champion
‎05-26-2010 08:11 PM

You may also find some of this helpful:

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-19-2010 06:08 AM
  • ... (three periods) in source stanza headings is treated as .* in PCRE regex
  • * (asterisk) in source stanza headings is treated as [^/\\]* in PCRE regex
  • . (one period) in stanza headings is treated as \.
  • Note that all other PCRE syntax is also valid
  • Note that the expression must match the entire path. In regex terms, the expression has an implicit ^ at the beginning and an implicit $ at the end, and that must match the source value.
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-20-2010 05:31 AM

BTW, a particular piece of PCRE regex that may be particularly useful is the prefix (?i), which indicates that the regex from that point on is case-in*sensitive. This should usually be used when trying to match Windows file paths, e.g., `[source::(?i)...\program files\applogs\.log]`

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...