Re: regex delimiters & config file formatting

Gregory_Lapchen · ‎02-09-2011

I'm experiencing a subtle issue, which is not very apparent due to lack of delimiters around regular expressions, where the space after the '=' sign is being parsed as part of the regular expression. Considering most config files use spaces around the '=' sign for readability, this becomes confusing.

REGEX = info

This expression would match " info" vs "info". I.e. "abc info" would match, and "abcinfo" would not.

Is this expected behavior?

aojie654 · ‎04-26-2019

Hi, @Gregory Lapchenko:

I'll use _ in this answer to recognize space.
I feel sorry about that I'm not very clearly to understand your puzzle. From what I understand, are you want to match just _info but not abc_info? If so, maybe the regex expression is \s+info to match _info, or [^\s]*?\sinfo to match abc_info.

Boopalan · ‎04-26-2019

Below Regex will work as expected for you:
REGEX=\s+info

gkanapathy · ‎02-09-2011

You can either use \s (which would match either a space or a tab) or [ ] (just the space) in a regex to represent a space, and it's usually a good idea to do so if you've got it at the beginning of a regex. I wonder if you might prefer to use \b (word boundary) before the info as well.

regex delimiters & config file formatting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation