Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why isn't regex101 to Splunk rex translation insertion working?

Steve_A200
Path Finder
‎04-25-2022 03:20 PM

Hi,

I managed to get my regex101 expression working, however, I am not able to get it working in splunk.  I would like to extract only the location ID's that are listed in the _raw if they are preceded with the text "Location not found.ID: "

 

Test string:

Location not found. ID: ABC000123244343

Regex101 copied value:

/[ABC0]\w+[a-zA-Z0-9]/gm

 

However, when I tried the below in splunk it didn't provide me the results I expected:

 

| from datamodel:"xyzlogs"
| fields _raw
| where like(_raw,"%Location not found.ID: ABC000%")
| rex field=_raw "(?P<Location_id>/[ABC0]\w+[a-zA-Z0-9]/gm)"

 

 

Any help would be appreciated.

Thank you.

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2022 11:28 PM

Additionally, you can just include this "condition" in your regex.

But firstly make sure that your regex indeed does what you indend it to do.

Firstly you're looking for the string including "ABC000*", then you're matching against [ABC0] (that's a character class, not an explicit string).

What you need seems to be something more like

| rex field=_raw "Location\snot\sfound.ID:\s+(?<Location>ABC0\S+))

 Which matches only those strings that start with ABC0 and are preceeded with "Location not found" string. Otherwise the regex will simply not match so it will not extract anything.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-25-2022 04:09 PM

You don't need everything from regex101, just the regex

| makeresults
| eval _raw="Location not found. ID: ABC000123244343"
| rex "(?P<Location_id>[ABC0]\w+[a-zA-Z0-9])"
0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2022 11:28 PM

Additionally, you can just include this "condition" in your regex.

But firstly make sure that your regex indeed does what you indend it to do.

Firstly you're looking for the string including "ABC000*", then you're matching against [ABC0] (that's a character class, not an explicit string).

What you need seems to be something more like

| rex field=_raw "Location\snot\sfound.ID:\s+(?<Location>ABC0\S+))

 Which matches only those strings that start with ABC0 and are preceeded with "Location not found" string. Otherwise the regex will simply not match so it will not extract anything.

Reply
Solved! Jump to solution

Steve_A200
Path Finder
‎04-26-2022 06:45 AM

Thank you for the prompt help, I found the best solution for my data logs was the suggestion below by @PickleRick :

| rex field=_raw "Location\snot\sfound.ID:\s+(?<Location>ABC0\S+))

It was what I needed to extract.

Thank you all for your help, appreciate this community and the Talent it has. 

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-25-2022 11:17 PM

@Steve_A200 - As suggested by @ITWhisperer  , you just use the regex part of it.

/<regex>/<flags>

g & m are flags for global and multiline, which is true by default for Splunk's rex command.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...