Splunk Search
Highlighted

regex help

New Member

I'm trying to configure a field extraction but am getting some strange incisions in the output. I'm running the below regex
^(?:[^:\n]*:){4}\s+(?P[^|]+), but am seeing additional values. The output should be all uppercase, but I'm still getting some lowercase values after using the [A-Z] in the regex.

I've also tried to pin point the outputs using the below but still get the additions.
^(?:[^:\n])\s state\s:\s(?P[^|]+)

What I'm trying to configure is a field extraction of an uppercase word, but I need to ignore - ()[]{}|
The output should be - ROUTE_START
But I'm also seeing things like - I'm trying to configure a field extraction but am getting some strange incisions in the output. I'm running the below regex
^(?:[^:\n]*:){4}\s+(?P[^|]+), but am seeing additional values. The oput put should be all uppercase, but I'm still getting some lowercase values after using the [A-Z] in the regex.

I've also tried to pin point the outputs using the below but still get the additions.
^(?:[^:\n])\s state\s:\s(?P[^|]+)

What I'm trying to configure is a field extraction of an uppercase word, but I need to ignore - ()[]{}|
The out put should be - ROUTER
But I'm also seeing this like - [Order{

Thanks

0 Karma
Highlighted

Re: regex help

SplunkTrust
SplunkTrust

Please provide some sample data that you are trying to validate with regex.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: regex help

New Member

I can't supply the actual log as it has confidential banking information, but this is one from test.

Example of one of the messages:-

08:45:16.674 [2018-01-03T08:45:16.674+0000] 3950682 INFO [p-quote-13-13-L-1] --- LoggerUtil: STATE ENGINE|AA32699|Quote21849812-0|Quote message arrived in state : RECORDKEEPINGEND|110|

All I need to see is RECORDKEEPINGEND.

0 Karma
Highlighted

Re: regex help

SplunkTrust
SplunkTrust

Does it always available as 2nd last value? If yes, give this regex a try

 state\s:\s(?P<State>[A-Z_-]+)\|[^\|]+\|$

https://regex101.com/r/24sjMS/1

0 Karma
Highlighted

Re: regex help

New Member

Thanks, that worked.

I was looking for the regex site as well. Very useful.

0 Karma
Highlighted

Re: regex help

Path Finder

You can use
https://regex101.com

This is very good site to learn and test your regex.

0 Karma
Highlighted

Re: regex help

Path Finder

Try

state\s:\s(?P[A-Z_-]+)|[^|]+|$

and also you can use
https://regex101.com

This is very good site to learn and test your regex.

0 Karma
Highlighted

Re: regex help

Explorer

Another version that could work is:

(?:arrived in state : )(?P\w+)

0 Karma