issue in regex

pragycho · ‎03-07-2021

Hi ,

i want to ignore some comment line and last comment store value in field.

for example , I have log where first 3 line field is in commented for Version, Date, Software

#Ver: 1.0
#Date: 2020-04-18 11:10:15
#Software: ABC for Web 11.8.0-414

how to write the regex expression for this where i can store last field value

my regex REGEX = ^\# but it is dropping all lines with leading hash

how to store Software value in field but other previous field value can drop

tscroggins · ‎03-07-2021

@pragycho

To exclude all lines beginning with # except for #Software in a transform evaluated at index time, try:

^#(?!Software)

To extract the text after #Software: into a field in a transform at search time, try:

^#Software:\s+(?<software>.*)

This is the equivalent rex command:

| rex "^#Software:\s+(?<software>.*)"

I can provide more detailed conf examples if you can provide a little more context around where (index time or search time) you want to discard lines and extract values.

pragycho · ‎03-11-2021

i have Regex in transform.com .

which is good for performance

issue in regex

regex

rex

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

issue in regex

regex

rex

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0