regex expression look behind issue

constantinetamp · ‎12-07-2020

I have the following string:

 "userEmail":"someString/ab-cde-fgh-2020.domain.com@DOMAIN.COM" ABC DEF, 
 "userAddress":"otherString/ig-klm-nop-2020.domain.com@DOMAIN.COM" HIG KLM,
 "userEmail":"someOtherString/ab-cde-fgh-2020.domain.com@DOMAIN.COM" ABC DEF,

from which I want to extract the "ab-cde-fgh-2020.domain.com" part but only from the "userEmail" tag.

The regex on regex101 works,

however on Splunk Search trying to use the expression:

| rex "(?<user>(?<="\"userEmail"\"\:\".*)(?<=\/)(.*?)(?=\@))"

it gives me the error that "lookbehind assestions is not fixed length", while the following:

| rex "(?<user>(?<=\"userEmail"\"\:\").*(?<=\/)(.*?)(?=\@))"

Returns:

someString/ab-cde-fgh-2020.domain.com
someOtherString/ab-cde-fgh-2020.domain.com

as one would expect. However the strings in the position of "someString" or "someOtherString" could be of any length in my data. What could be a workaround on that issue?

richgalloway · ‎12-08-2020

Try this rex command that doesn't use lookbehind.

| rex "userEmail[^\/]+(?<user>[^@]+)"

---
If this reply helps you, Karma would be appreciated.

regex expression look behind issue

regex

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Are you a member of the Splunk Community?

regex expression look behind issue

regex

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...