Re: why does the regex not work?

kennmunklarsen · ‎10-12-2012

Why does the following regex not both records:

(?i)(?:MEthod: ) | (?:Metode: )(?P<FIELDNAME>\w+)

Records:

2012-10-12 09:27:53,903 Ch pw succeded  Brand: /vvv_erhverv Metode: EMPLOYEE LDAP 
2012-10-12 09:25:44,374 Login succeded  Brand: /ppp_medlem MEthod: SPECIAL  LDAP

I would like to match SPECIAL and EMPLOYEE

Drainy · ‎10-12-2012

Blimey, why not just do;

(?i)(?:method|metode)\:\s(\w+)

?

🙂

MuS · ‎10-12-2012

I fiddled out this one:

(?i)((?<=MEthod: )|(?<=Metode: ))(?<FIELDNAME>\w+)

this will match only EMPLOYEE and SPECIAL

MuS · ‎10-12-2012

what happens if your run this:

| regex _raw="(?i)((?<=MEthod: )|(?<=Metode: ))(?\w+)"

kennmunklarsen · ‎10-12-2012

MuS
Splunk gives the error:
Invalid regex: syntax error

when i use this:
(?i)((?<=MEthod: )|(?<=Metode: ))(?\w+)

MHibbin · ‎10-12-2012

How about doing something like:

(?i)brand\:[^\:]+\:\s+(?P<fieldname>[^ ]+)

EDIT: Missed "+"

You can test regex out on the following site http://gskinner.com/RegExr/, (believe @Drainy shared this with me, to pass on some credit 🙂 ) it generally works for most regex you will need.

EDIT: And using your syntax, I believe the following should work

(?i)((?:MEthod:\s+)|(?:Metode:\s+))(?P<FIELDNAME>\w+)

You had a space between the pipe character.

why does the regex not work?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!