Solved: Re: regex only first occurrance

sreesh · ‎05-13-2020

logs
source=/api/docker/docker-snapshot-demo/v2/pdap/pdap-validator-router/manifests/1.0.aws
source=/api/docker/docker-snapshot/v2/mode-date/mod-validator-router/manifests/1.0.aws

we want to extract the first occurrence of string that has min of 1 hyphen and max of 2 hyphens into separate filed. In above example, only "docker-snapshot-eis" and "docker-snapshot" should be extracted into different filed.
tried "\w*[-]\w*" and "\b\w*[-']\w*\b" but has challenge limiting to first occurrence and range specifier.

PavelP · ‎05-13-2020

Hello @sreesh,

please try

^[^\-]+\/([^\/\-]+\-[^\/\-]+\-?[^\/\-]*)\/

https://regex101.com/r/1DpHfH/1

View solution in original post

PavelP · ‎05-13-2020

Hello @sreesh,

please try

^[^\-]+\/([^\/\-]+\-[^\/\-]+\-?[^\/\-]*)\/

https://regex101.com/r/1DpHfH/1

sreesh · ‎05-14-2020

it worked, thanks Pavel

sreesh · ‎05-13-2020

Doing inline field extraction using rex. The output is a bit different
source=request.log | rex "(?^[^-]+\/([^\/-]+-[^\/-]+-?[^\/-])\/)" | stats count by Repo

output
20200513125800|0|REQUEST| 10.20.39.233 |non_authenticated_user|GET|/api/docker/docker-login/

while I require only docker-login in Repo filed. Other files already extracted using delimeter
the Resource field value is /api/docker/docker-login/

PavelP · ‎05-13-2020

@sreesh for inline regex use

| rex field=source "^[^\-]+\/(?<Repo>[^\/\-]+\-[^\/\-]+\-?[^\/\-]*)\/"

regex only first occurrance

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation