Why does the following regex not both records:
(?i)(?:MEthod: ) | (?:Metode: )(?P<FIELDNAME>\w+)
Records:
2012-10-12 09:27:53,903 Ch pw succeded Brand: /vvv_erhverv Metode: EMPLOYEE LDAP
2012-10-12 09:25:44,374 Login succeded Brand: /ppp_medlem MEthod: SPECIAL LDAP
I would like to match SPECIAL and EMPLOYEE
Blimey, why not just do;
(?i)(?:method|metode)\:\s(\w+)
?
🙂
I fiddled out this one:
(?i)((?<=MEthod: )|(?<=Metode: ))(?<FIELDNAME>\w+)
this will match only EMPLOYEE and SPECIAL
what happens if your run this:
MuS
Splunk gives the error:
Invalid regex: syntax error
when i use this:
(?i)((?<=MEthod: )|(?<=Metode: ))(?
How about doing something like:
(?i)brand\:[^\:]+\:\s+(?P<fieldname>[^ ]+)
EDIT: Missed "+
"
You can test regex out on the following site http://gskinner.com/RegExr/, (believe @Drainy shared this with me, to pass on some credit 🙂 ) it generally works for most regex you will need.
EDIT: And using your syntax, I believe the following should work
(?i)((?:MEthod:\s+)|(?:Metode:\s+))(?P<FIELDNAME>\w+)
You had a space between the pipe character.