Splunk Search

What does "P" stand for in regular expression query?

pradjswl
Explorer

I am trying to understand more about a regular expression query used in Splunk. what does character P stands for in the regex example?

(?P)
0 Karma
1 Solution

bmacias84
Champion

The P is Python identifier for a named capture group. You will see P in regex used in jdango and other python based regex implementations.

https://docs.python.org/3/library/re.html
http://stackoverflow.com/questions/7988942/what-does-this-django-regex-mean-p

Cheers

View solution in original post

bmacias84
Champion

The P is Python identifier for a named capture group. You will see P in regex used in jdango and other python based regex implementations.

https://docs.python.org/3/library/re.html
http://stackoverflow.com/questions/7988942/what-does-this-django-regex-mean-p

Cheers

pradjswl
Explorer

ty @bmacias84 that helps

0 Karma

rvany
Communicator

As this thread is mentioned in the current (i.e. v7.1.3) docs comment section I add some more reference.

From the PCRE-Change-Log (http://www.rexegg.com/pcre-doc/ChangeLog) you find down the page Version 7.0 19-Dec-06 and in this part we have:

34. Added a number of extra features that are going to be in Perl 5.10. On the
    whole, these are just syntactic alternatives for features that PCRE had
    previously implemented using the Python syntax or my own invention. The
    other formats are all retained for compatibility.

    (a) Named groups can now be defined as (?<name>...) or (?'name'...) as well
        as (?P<name>...). The new forms, as well as being in Perl 5.10, are
        also .NET compatible.

This seems to be the explanation closest to the origin of this construct.

And from the already mentioned Python-Docs we get:

(?...)
    This is an extension notation (a '?' following a '(' is not meaningful otherwise). The first character after the '?' determines what the meaning and further syntax of the construct is. Extensions usually do not create a new group; (?P<name>...) is the only exception to this rule. Following are the currently supported extensions.

Where this "first character after the '?'" is explained in great detail in the text that follows.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...