Re: regex expression look behind issue

constantinetamp · ‎12-07-2020

I have the following string:

 "userEmail":"someString/ab-cde-fgh-2020.domain.com@DOMAIN.COM" ABC DEF, 
 "userAddress":"otherString/ig-klm-nop-2020.domain.com@DOMAIN.COM" HIG KLM,
 "userEmail":"someOtherString/ab-cde-fgh-2020.domain.com@DOMAIN.COM" ABC DEF,

from which I want to extract the "ab-cde-fgh-2020.domain.com" part but only from the "userEmail" tag.

The regex on regex101 works,

however on Splunk Search trying to use the expression:

| rex "(?<user>(?<="\"userEmail"\"\:\".*)(?<=\/)(.*?)(?=\@))"

it gives me the error that "lookbehind assestions is not fixed length", while the following:

| rex "(?<user>(?<=\"userEmail"\"\:\").*(?<=\/)(.*?)(?=\@))"

Returns:

someString/ab-cde-fgh-2020.domain.com
someOtherString/ab-cde-fgh-2020.domain.com

as one would expect. However the strings in the position of "someString" or "someOtherString" could be of any length in my data. What could be a workaround on that issue?

richgalloway · ‎12-08-2020

Try this rex command that doesn't use lookbehind.

| rex "userEmail[^\/]+(?<user>[^@]+)"

---
If this reply helps you, Karma would be appreciated.

regex expression look behind issue

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation