why does the regex not work?

kennmunklarsen · ‎10-12-2012

Why does the following regex not both records:

(?i)(?:MEthod: ) | (?:Metode: )(?P<FIELDNAME>\w+)

Records:

2012-10-12 09:27:53,903 Ch pw succeded  Brand: /vvv_erhverv Metode: EMPLOYEE LDAP 
2012-10-12 09:25:44,374 Login succeded  Brand: /ppp_medlem MEthod: SPECIAL  LDAP

I would like to match SPECIAL and EMPLOYEE

Drainy · ‎10-12-2012

Blimey, why not just do;

(?i)(?:method|metode)\:\s(\w+)

?

🙂

MuS · ‎10-12-2012

I fiddled out this one:

(?i)((?<=MEthod: )|(?<=Metode: ))(?<FIELDNAME>\w+)

this will match only EMPLOYEE and SPECIAL

MuS · ‎10-12-2012

what happens if your run this:

| regex _raw="(?i)((?<=MEthod: )|(?<=Metode: ))(?\w+)"

kennmunklarsen · ‎10-12-2012

MuS
Splunk gives the error:
Invalid regex: syntax error

when i use this:
(?i)((?<=MEthod: )|(?<=Metode: ))(?\w+)

MHibbin · ‎10-12-2012

How about doing something like:

(?i)brand\:[^\:]+\:\s+(?P<fieldname>[^ ]+)

EDIT: Missed "+"

You can test regex out on the following site http://gskinner.com/RegExr/, (believe @Drainy shared this with me, to pass on some credit 🙂 ) it generally works for most regex you will need.

EDIT: And using your syntax, I believe the following should work

(?i)((?:MEthod:\s+)|(?:Metode:\s+))(?P<FIELDNAME>\w+)

You had a space between the pipe character.

why does the regex not work?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

why does the regex not work?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem