Solved: Re: regex only first occurrance

sreesh · ‎05-13-2020

logs
source=/api/docker/docker-snapshot-demo/v2/pdap/pdap-validator-router/manifests/1.0.aws
source=/api/docker/docker-snapshot/v2/mode-date/mod-validator-router/manifests/1.0.aws

we want to extract the first occurrence of string that has min of 1 hyphen and max of 2 hyphens into separate filed. In above example, only "docker-snapshot-eis" and "docker-snapshot" should be extracted into different filed.
tried "\w*[-]\w*" and "\b\w*[-']\w*\b" but has challenge limiting to first occurrence and range specifier.

PavelP · ‎05-13-2020

Hello @sreesh,

please try

^[^\-]+\/([^\/\-]+\-[^\/\-]+\-?[^\/\-]*)\/

https://regex101.com/r/1DpHfH/1

View solution in original post

PavelP · ‎05-13-2020

Hello @sreesh,

please try

^[^\-]+\/([^\/\-]+\-[^\/\-]+\-?[^\/\-]*)\/

https://regex101.com/r/1DpHfH/1

sreesh · ‎05-14-2020

it worked, thanks Pavel

sreesh · ‎05-13-2020

Doing inline field extraction using rex. The output is a bit different
source=request.log | rex "(?^[^-]+\/([^\/-]+-[^\/-]+-?[^\/-])\/)" | stats count by Repo

output
20200513125800|0|REQUEST| 10.20.39.233 |non_authenticated_user|GET|/api/docker/docker-login/

while I require only docker-login in Repo filed. Other files already extracted using delimeter
the Resource field value is /api/docker/docker-login/

PavelP · ‎05-13-2020

@sreesh for inline regex use

| rex field=source "^[^\-]+\/(?<Repo>[^\/\-]+\-[^\/\-]+\-?[^\/\-]*)\/"

regex only first occurrance

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

regex only first occurrance

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases