Splunk Search

regex expression look behind issue

constantinetamp
Observer

I have the following string:

 

 "userEmail":"someString/ab-cde-fgh-2020.domain.com@DOMAIN.COM" ABC DEF, 
 "userAddress":"otherString/ig-klm-nop-2020.domain.com@DOMAIN.COM" HIG KLM,
 "userEmail":"someOtherString/ab-cde-fgh-2020.domain.com@DOMAIN.COM" ABC DEF, 

 

from which I want to extract the "ab-cde-fgh-2020.domain.com" part but only from the "userEmail" tag.

The regex on regex101 works,

regex.PNG

however on Splunk Search trying to use the expression:

 

| rex "(?<user>(?<="\"userEmail"\"\:\".*)(?<=\/)(.*?)(?=\@))"

 

it gives me the error that "lookbehind assestions is not fixed length", while the following:

 

| rex "(?<user>(?<=\"userEmail"\"\:\").*(?<=\/)(.*?)(?=\@))"

 

Returns:

 

someString/ab-cde-fgh-2020.domain.com
someOtherString/ab-cde-fgh-2020.domain.com

 

as one would expect. However the strings in the position of "someString" or "someOtherString" could be of any length in my data. What could be a workaround on that issue?

Labels (1)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this rex command that doesn't use lookbehind.

| rex "userEmail[^\/]+(?<user>[^@]+)"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...