- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to exact a string 'GUID" from the log right after "customers". This regex expression works in https://regex101.com/ but not in Splunk. My field name is log:
2023-06-19 15:28:01.726 ERROR [communication-service,6e72370er2368b08,6e723709fd368b08] [,,,] 1 --- [container-0-C-1] c.w.r.acc.commservice.sink.ReminderSink : Reminder Message processed, no linked customers aaf60d69-99a9-41f5-a081-032224284066
| rex field=log "(?<cids>).*customers\s(.*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
Did you want cids to contain that GUID?
Try
| rex field=log ".*customers\s(?<cids>.*)"
Alternatively, if the GUID is always at the end, following a space, you can even drop the "customers" part:
| rex field=log "(?<cids>\S+$)"
Your example appears to be creating a capture group named "cids" that captures nothing (the first set of parentheses), and then a second non-capturing group that matches what you want (the second set of parentheses).
This document might help explain in more detail:
https://docs.splunk.com/Documentation/SCS/current/Search/AboutSplunkregularexpressions#Capture_group...
Breaking software for over 20 years.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
Did you want cids to contain that GUID?
Try
| rex field=log ".*customers\s(?<cids>.*)"
Alternatively, if the GUID is always at the end, following a space, you can even drop the "customers" part:
| rex field=log "(?<cids>\S+$)"
Your example appears to be creating a capture group named "cids" that captures nothing (the first set of parentheses), and then a second non-capturing group that matches what you want (the second set of parentheses).
This document might help explain in more detail:
https://docs.splunk.com/Documentation/SCS/current/Search/AboutSplunkregularexpressions#Capture_group...
Breaking software for over 20 years.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So to clarify the <cids> is the placeholder for the values produced from the regex AND also the placement is where the actual value would be contained in the string, i.e. Log field?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
Yes. You can name multiple capture groups in one rex statement.
e.g.
| rex field=my_field "foo:\s+\"(?<first_capture>[^\"]+)\",\s+bar:\s+(?<second_capture>[^\"]+)"
Breaking software for over 20 years.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I was close ugh.
data:image/s3,"s3://crabby-images/a266d/a266d0c80c12793a952b209c17cc3de41b17fc89" alt=""