Splunk Search

What is the regex for a comma followed by a character as a field delimiter, but a comma followed by blank space is not?

Thuan
Explorer

I have the following excerpt of exchange logs. There are more fields before and after this excerpt.

,awells@atcorp.com,awells@atcorp.com,Hi, my dear friend!,

The regex I have developed is:

,(?P[^,]*|,),(?P[^,]*|,),(?P[^,]*|,),]

Using comma (,) as a field delimiter

The first field "sender_address" is parsed as "awells@atcorp.com" - the desired result
The 2nd field "return_path" is parsed as "awells@atcorp.com" - the desired result
The 3rd field "message_subject" is parsed as "Hi," but it should be "Hi, my dear friend!"

I observed that a comma followed by character is field delimiter, but a comma followed by blank space is not.
Question: what is a correct regex for the 3rd field?

Tags (2)
0 Karma

wpreston
Motivator

This regex appears to work as you want, and should work as long as there is a comma at the end of field three:

,(?<Field1>[^,]+),(?<Field2>[^,]+),(?<Field3>.*),
0 Karma

Thuan
Explorer

I tested and your solution does not work. The example string is listed below
,awells@atcorp.com,awells@atcorp.com,Hi, my dear friend! ,

Focusing on the 3rd field, the last two characters include a space between the ! , (exchamation mark + space + comma)
The field separator at the end of the 3rd field should be a space+comma. I have tried this

,(?[^,]+),(?[^,]+),(?.)\s, it does not work but
,(?[^,]+),(?[^,]+),(?.
|\s), does

I do not understand why the first one does not work as the field separator is a space+comma

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If the third field always ends with space+comma then this works for me:

,(?<field1>[^,]+),(?<field2>[^,]+),(?<field3>.+) ,
---
If this reply helps you, Karma would be appreciated.
0 Karma

Thuan
Explorer

Thank you.

What is the difference between " " (blank space) and \s embedded in regex statements?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

\s matches any white space (space, tab, etc.) whereas ' ' matches only space. \s is probably best practice. In your case, they should be interchangeable.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Thuan
Explorer

Correction

,(?[^,]+),(?[^,]+),(?.)\s, it does not work but
,(?[^,]+),(?[^,]+),(?.|\s), does

0 Karma

Thuan
Explorer

there is backward slash before the s

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Can the field delimiter be changed? Is there another way to determine the end of field 3 (keyword, etc.)? Can fields be enclosed in quotes?

---
If this reply helps you, Karma would be appreciated.
0 Karma

Thuan
Explorer

The complete regex should be

,(?P[^,]*|,),(?P[^,]*|,),(?P[^,]*|,),]

Somehow it was modified during the posting.

0 Karma

ppablo
Retired

Just edited your post and comment so your regex renders correctly on this site.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I used to have that ability until the site was upgraded. How do I get it back?

---
If this reply helps you, Karma would be appreciated.
0 Karma

ppablo
Retired

Ah that's not good at all, thanks for letting me know. Let me look into it and I'll get back to you. (are you "Rich" in the IRC #splunk channel? If yes, I pinged ya earlier to chat about this, but wasn't sure if that was you lol)

0 Karma

richgalloway
SplunkTrust
SplunkTrust

No, not me. I don't use IRC.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ppablo
Retired

Ah ok haha woops. Well just to get more info, you haven't been able to edit other users' posts since this site was updated back in September?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's correct.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...