Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

regex delimiters & config file formatting

Gregory_Lapchen
Engager
‎02-09-2011 09:40 PM

I'm experiencing a subtle issue, which is not very apparent due to lack of delimiters around regular expressions, where the space after the '=' sign is being parsed as part of the regular expression. Considering most config files use spaces around the '=' sign for readability, this becomes confusing.

REGEX = info

This expression would match " info" vs "info". I.e. "abc info" would match, and "abcinfo" would not.

Is this expected behavior?

Tags (1)
Reply

aojie654
Path Finder
‎04-26-2019 01:34 AM

Hi, @Gregory Lapchenko:

I'll use _ in this answer to recognize space.
I feel sorry about that I'm not very clearly to understand your puzzle. From what I understand, are you want to match just _info but not abc_info? If so, maybe the regex expression is \s+info to match _info, or [^\s]*?\sinfo to match abc_info.

0 Karma
Reply

Boopalan
New Member
‎04-26-2019 12:13 AM

Below Regex will work as expected for you:
REGEX=\s+info

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-09-2011 11:15 PM

You can either use \s (which would match either a space or a tab) or [ ] (just the space) in a regex to represent a space, and it's usually a good idea to do so if you've got it at the beginning of a regex. I wonder if you might prefer to use \b (word boundary) before the info as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...