Splunk Search

regex expression look behind issue

constantinetamp
Observer

I have the following string:

 

 "userEmail":"someString/ab-cde-fgh-2020.domain.com@DOMAIN.COM" ABC DEF, 
 "userAddress":"otherString/ig-klm-nop-2020.domain.com@DOMAIN.COM" HIG KLM,
 "userEmail":"someOtherString/ab-cde-fgh-2020.domain.com@DOMAIN.COM" ABC DEF, 

 

from which I want to extract the "ab-cde-fgh-2020.domain.com" part but only from the "userEmail" tag.

The regex on regex101 works,

regex.PNG

however on Splunk Search trying to use the expression:

 

| rex "(?<user>(?<="\"userEmail"\"\:\".*)(?<=\/)(.*?)(?=\@))"

 

it gives me the error that "lookbehind assestions is not fixed length", while the following:

 

| rex "(?<user>(?<=\"userEmail"\"\:\").*(?<=\/)(.*?)(?=\@))"

 

Returns:

 

someString/ab-cde-fgh-2020.domain.com
someOtherString/ab-cde-fgh-2020.domain.com

 

as one would expect. However the strings in the position of "someString" or "someOtherString" could be of any length in my data. What could be a workaround on that issue?

Labels (1)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this rex command that doesn't use lookbehind.

| rex "userEmail[^\/]+(?<user>[^@]+)"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...