Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

wether or is possible inside a regex

john
Communicator
‎05-09-2012 03:01 AM

hi,

A1.abc-ab.1000.11111
A1.ab.1000.11111

This is the format of data what iam trying to extract using regex.Since both the datas are values of same instance i want to exctract these both values using 1 regex so as to compare it with other values

... | rex field=_raw "(?<value>(\w\d\.\w+\-\w+\.\d{4}\-\d{8})|(\w\d\.\w+\.\d{4}\.d{7}))"| table value

this is what i have tried but it is fetching only the data matching with the first bracket ie A1.abc-ab.1000.11111 .Please help

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎05-09-2012 03:36 AM

There are a couple of errors in your regex, and you're probably making it too complicated. \w also matches digits, and you're missing the backslash for the last \d. Using character classes ([]) simplifies a lot.

rex field=_raw "\s(?<value>[\w]+\.[\w-]+\.\d+\.\d+)\s"

should do it. Note that this may also capture other stuff in your log. Please post some a couple of log events to get better answers.

Hope this helps,

Kristian

0 Karma
Reply

kristian_kolb
Ultra Champion
‎05-09-2012 03:43 AM

updated. /k

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...