Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: regex help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
regex help
I'm trying to configure a field extraction but am getting some strange incisions in the output. I'm running the below regex
^(?:[^:\n]*:){4}\s+(?P[^|]+), but am seeing additional values. The output should be all uppercase, but I'm still getting some lowercase values after using the [A-Z] in the regex.
I've also tried to pin point the outputs using the below but still get the additions.
^(?:[^:\n])\s state\s:\s(?P[^|]+)
What I'm trying to configure is a field extraction of an uppercase word, but I need to ignore - ()[]{}|
The output should be - ROUTE_START
But I'm also seeing things like - I'm trying to configure a field extraction but am getting some strange incisions in the output. I'm running the below regex
^(?:[^:\n]*:){4}\s+(?P[^|]+), but am seeing additional values. The oput put should be all uppercase, but I'm still getting some lowercase values after using the [A-Z] in the regex.
I've also tried to pin point the outputs using the below but still get the additions.
^(?:[^:\n])\s state\s:\s(?P[^|]+)
What I'm trying to configure is a field extraction of an uppercase word, but I need to ignore - ()[]{}|
The out put should be - ROUTER
But I'm also seeing this like - [Order{
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another version that could work is:
(?:arrived in state : )(?P\w+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try
state\s:\s(?P[A-Z_-]+)|[^|]+|$
and also you can use
https://regex101.com
This is very good site to learn and test your regex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please provide some sample data that you are trying to validate with regex.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't supply the actual log as it has confidential banking information, but this is one from test.
Example of one of the messages:-
08:45:16.674 [2018-01-03T08:45:16.674+0000] 3950682 INFO [p-quote-13-13-L-1] --- LoggerUtil: STATE ENGINE|AA32699|Quote21849812-0|Quote message arrived in state : RECORD_KEEPING_END|110|
All I need to see is RECORD_KEEPING_END.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does it always available as 2nd last value? If yes, give this regex a try
state\s:\s(?P<State>[A-Z_-]+)\|[^\|]+\|$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, that worked.
I was looking for the regex site as well. Very useful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use
https://regex101.com
This is very good site to learn and test your regex.
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Splunk MCP & Agentic AI: Machine Data Without Limits
