Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

why does the regex not work?

kennmunklarsen
New Member
‎10-12-2012 12:48 AM

Why does the following regex not both records:

(?i)(?:MEthod: ) | (?:Metode: )(?P<FIELDNAME>\w+)

Records:

2012-10-12 09:27:53,903 Ch pw succeded  Brand: /vvv_erhverv Metode: EMPLOYEE LDAP 
2012-10-12 09:25:44,374 Login succeded  Brand: /ppp_medlem MEthod: SPECIAL  LDAP

I would like to match SPECIAL and EMPLOYEE

Tags (1)
0 Karma
Reply

Drainy
Champion
‎10-12-2012 02:46 AM

Blimey, why not just do;

(?i)(?:method|metode)\:\s(\w+)

?

🙂

Reply

MuS
SplunkTrust
SplunkTrust
‎10-12-2012 01:16 AM

I fiddled out this one:

(?i)((?<=MEthod: )|(?<=Metode: ))(?<FIELDNAME>\w+)

this will match only EMPLOYEE and SPECIAL

Reply

MuS
SplunkTrust
SplunkTrust
‎10-12-2012 02:30 AM

what happens if your run this:

| regex _raw="(?i)((?<=MEthod: )|(?<=Metode: ))(?\w+)"

0 Karma
Reply

kennmunklarsen
New Member
‎10-12-2012 02:22 AM

MuS
Splunk gives the error:
Invalid regex: syntax error

when i use this:
(?i)((?<=MEthod: )|(?<=Metode: ))(?\w+)

0 Karma
Reply

MHibbin
Influencer
‎10-12-2012 12:58 AM

How about doing something like:

(?i)brand\:[^\:]+\:\s+(?P<fieldname>[^ ]+)

EDIT: Missed "+"

You can test regex out on the following site http://gskinner.com/RegExr/, (believe @Drainy shared this with me, to pass on some credit 🙂 ) it generally works for most regex you will need.

EDIT: And using your syntax, I believe the following should work

(?i)((?:MEthod:\s+)|(?:Metode:\s+))(?P<FIELDNAME>\w+)

You had a space between the pipe character.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...