When running the regex below, the search doesn't return any results even though the reg ex string works well on the external regex builder I use. Help.
Here's the original string: \.(.{2,4}\s+?)
Here's the spunk search: index=*|fields file | rex field=file "(?\.(.{2,4}\s+?))" | stats count(Asset) AS "Total" by Asset | sort -Total
The first error is here:
(?.(.{2,4}s+?))
you have (?
and )
at the start and end... that doesn't look right.
Also, to use the rex
command, you need to use Named Capturing group in the regex, like:
.(?P<test>.+)
Where test will be the name of the field extracted.
Hi ashnet16,
As Kristian says, we need some real data and also exactly what you try to extract from that data.
With that said, your original rex | rex field=file "(?\.(.{2,4}\s+?))"
does not look right.
If you want to convert your original regular expression \.(.{2,4}\s+?)
to rex, I would expect it to look something like this:
| rex field=file ".(?<fieldname>.{2,4}\s+?)"
Cheers!
#Sven Emil
This is the Splunk search Format for rex: (?...) (.....)equals the regular expression.
Hi,
please provide real data,
describe what you are trying to achieve,
use the code
markup where appropriate, since this help with formatting and special characters
If you got a good answer, vote up a/o mark as answered.
/K
The first error is here:
(?.(.{2,4}s+?))
you have (?
and )
at the start and end... that doesn't look right.
Also, to use the rex
command, you need to use Named Capturing group in the regex, like:
.(?P<test>.+)
Where test will be the name of the field extracted.
Could you provide some of your RAW data? The content of field "file" should be enough.
Here is some raw data:
vcard.png
phone.png
style.css
jquery.colorbox-min.js
Thanks!!
Ok, and is that a single line? or multiple entries? Also, what are you trying to extract?