regex help

SS1 · ‎05-10-2021

Hi,

I need some help with the regex,

Currently we have below two paths, note the naming format is different for the log files

\\path\\to\\my\\app\\folder\userx-test-cpuissue.log
\\path\\to\\my\\app\\folder\usery-cpuissue.log

I wrote a regex to extract user and issue, but it is not able to pick userx since the log format is different i.e. userx-test-cpuissue.log. How do i wrote a single regex which could extract both the naming formats?

\\\\(?<source>\w+)-(?<issue>\w+)\.log$

abowesman · ‎05-10-2021

You could try this

| rex field=log "\\\\(?<user>\w+)-(?<issue>.*)\.log$"

where your 'issue' field extraction takes _any_ character up to the .log after the user rather than \w.

Shown in this example

| makeresults
| eval log=split("\\\\path\\\\to\\\\my\\\\app\\\\folder\\userx-test-cpuissue.log,\\\\path\\\\to\\\\my\\\\app\\\\folder\\usery-cpuissue.log",",")
| mvexpand log
| rex field=log "\\\\(?<user>\w+)-(?<issue>.*)\.log$"

Hope this helps

SS1 · ‎05-10-2021

thanks for the response, although it is extracting just userx while i want it to extract userx-test. is that possible?

ITWhisperer · ‎05-10-2021

\\(?<source>[\w\-]+)\-(?<issue>\w+)\.log$

ITWhisperer · ‎05-10-2021

\\(?<source>\w+)(\-\w+)?\-(?<issue>\w+)\.log$

regex help

chart

field extraction

regex

rex

stats

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

regex help