regex expression look behind issue

constantinetamp · ‎12-07-2020

I have the following string:

 "userEmail":"someString/ab-cde-fgh-2020.domain.com@DOMAIN.COM" ABC DEF, 
 "userAddress":"otherString/ig-klm-nop-2020.domain.com@DOMAIN.COM" HIG KLM,
 "userEmail":"someOtherString/ab-cde-fgh-2020.domain.com@DOMAIN.COM" ABC DEF,

from which I want to extract the "ab-cde-fgh-2020.domain.com" part but only from the "userEmail" tag.

The regex on regex101 works,

however on Splunk Search trying to use the expression:

| rex "(?<user>(?<="\"userEmail"\"\:\".*)(?<=\/)(.*?)(?=\@))"

it gives me the error that "lookbehind assestions is not fixed length", while the following:

| rex "(?<user>(?<=\"userEmail"\"\:\").*(?<=\/)(.*?)(?=\@))"

Returns:

someString/ab-cde-fgh-2020.domain.com
someOtherString/ab-cde-fgh-2020.domain.com

as one would expect. However the strings in the position of "someString" or "someOtherString" could be of any length in my data. What could be a workaround on that issue?

richgalloway · ‎12-08-2020

Try this rex command that doesn't use lookbehind.

| rex "userEmail[^\/]+(?<user>[^@]+)"

---
If this reply helps you, Karma would be appreciated.

regex expression look behind issue

regex

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition

Are you a member of the Splunk Community?

regex expression look behind issue

regex

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition