Splunk Search

regex help

alanhowlett
New Member

I'm trying to configure a field extraction but am getting some strange incisions in the output. I'm running the below regex
^(?:[^:\n]*:){4}\s+(?P[^|]+), but am seeing additional values. The output should be all uppercase, but I'm still getting some lowercase values after using the [A-Z] in the regex.

I've also tried to pin point the outputs using the below but still get the additions.
^(?:[^:\n])\s state\s:\s(?P[^|]+)

What I'm trying to configure is a field extraction of an uppercase word, but I need to ignore - ()[]{}|
The output should be - ROUTE_START
But I'm also seeing things like - I'm trying to configure a field extraction but am getting some strange incisions in the output. I'm running the below regex
^(?:[^:\n]*:){4}\s+(?P[^|]+), but am seeing additional values. The oput put should be all uppercase, but I'm still getting some lowercase values after using the [A-Z] in the regex.

I've also tried to pin point the outputs using the below but still get the additions.
^(?:[^:\n])\s state\s:\s(?P[^|]+)

What I'm trying to configure is a field extraction of an uppercase word, but I need to ignore - ()[]{}|
The out put should be - ROUTER
But I'm also seeing this like - [Order{

Thanks

0 Karma

gmchenry
Explorer

Another version that could work is:

(?:arrived in state : )(?P\w+)

0 Karma

risgupta
Path Finder

Try

state\s:\s(?P[A-Z_-]+)|[^|]+|$

and also you can use
https://regex101.com

This is very good site to learn and test your regex.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please provide some sample data that you are trying to validate with regex.

---
If this reply helps you, Karma would be appreciated.
0 Karma

alanhowlett
New Member

I can't supply the actual log as it has confidential banking information, but this is one from test.

Example of one of the messages:-

08:45:16.674 [2018-01-03T08:45:16.674+0000] 3950682 INFO [p-quote-13-13-L-1] --- LoggerUtil: STATE ENGINE|AA32699|Quote21849812-0|Quote message arrived in state : RECORD_KEEPING_END|110|

All I need to see is RECORD_KEEPING_END.

0 Karma

somesoni2
Revered Legend

Does it always available as 2nd last value? If yes, give this regex a try

 state\s:\s(?P<State>[A-Z_-]+)\|[^\|]+\|$

https://regex101.com/r/24sjMS/1

0 Karma

alanhowlett
New Member

Thanks, that worked.

I was looking for the regex site as well. Very useful.

0 Karma

risgupta
Path Finder

You can use
https://regex101.com

This is very good site to learn and test your regex.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...