wether or is possible inside a regex

john · ‎05-09-2012

hi,

A1.abc-ab.1000.11111
A1.ab.1000.11111

This is the format of data what iam trying to extract using regex.Since both the datas are values of same instance i want to exctract these both values using 1 regex so as to compare it with other values

... | rex field=_raw "(?<value>(\w\d\.\w+\-\w+\.\d{4}\-\d{8})|(\w\d\.\w+\.\d{4}\.d{7}))"| table value

this is what i have tried but it is fetching only the data matching with the first bracket ie A1.abc-ab.1000.11111 .Please help

kristian_kolb · ‎05-09-2012

There are a couple of errors in your regex, and you're probably making it too complicated. \w also matches digits, and you're missing the backslash for the last \d. Using character classes ([]) simplifies a lot.

rex field=_raw "\s(?<value>[\w]+\.[\w-]+\.\d+\.\d+)\s"

should do it. Note that this may also capture other stuff in your log. Please post some a couple of log events to get better answers.

Hope this helps,

Kristian

kristian_kolb · ‎05-09-2012

updated. /k

wether or is possible inside a regex

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

wether or is possible inside a regex

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2