Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is regex not working?

man03359
Communicator
‎08-10-2023 06:18 AM

Hi all!

I have a field called "correlation id" in my search output, out of which I am trying to extract another field called "key". e.g.

Correlation id field value: Stores_XstorePOSError_tjm1554_2023320

Then its corresponding key value: Stores_XstorePOSError_tjm1554, which I am able to achieve using this regex -

| rex field=correlation_id "^(?P<key>(?P<geo>(\w+[\._])?Stores)[\._](?P<incident_group>[^\._]+)([\._][^\._]+)?[\._](?P<device>[a-zA-Z]{3,4}[a-zA-Z\d]*))([\._])?" 

which is unfortunately not working for some correlation ids.

e.g. -

Correlation id field value: STP_Stores_DiskSpace_stp-44slcapp9_20230809

Key value coming is: STP_Stores_DiskSpace_stp

I assume it is because in the regex, it is mentioned to take "_" and not "-" 

How do I fix it?

Tags (2)
Preview file
23 KB
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2023 06:50 AM

It is not clear what you are expecting to get from STP_Stores_DiskSpace_stp-44slcapp9_20230809

0 Karma
Reply

man03359
Communicator
‎08-10-2023 07:06 AM

I am extracting all the other fields, "device", "key", geo", "incident_group" from the correlation_id using this regex-

| rex field=correlation_id "^(?P<key>(?P<geo>(\w+[\._])?Stores)[\._](?P<incident_group>[^\._]+)([\._][^\._]+)?[\._](?P<device>[a-zA-Z]{3,4}[a-zA-Z\d]*))([\._])?"

But unfortunately, this regex does not work for some-

e.g. STP_Stores_DiskSpace_stp-44slcapp9_20230809,

it is extracting only : STP_Stores_DiskSpace_stp instead of STP_Stores_DiskSpace_stp-44slcapp9.

I am assuming its because after stp there is "-" and not "_".

I have attached the working one for comparison.

Hope this is clear.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2023 07:15 AM 
| rex field=correlation_id "^(?P<key>(?P<geo>(\w+[\._])?Stores)[\._](?P<incident_group>[^\._]+)([\._][^\._]+)?[\._](?P<device>[a-zA-Z]{3,4}[a-zA-Z\d-]*))([\._])?"
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎08-10-2023 07:13 AM

Hi @man03359,

Please try below updated regex;

| rex field=correlation_id "^(?P<key>(?P<geo>(\w+[\._])?Stores)[\._](?P<incident_group>[^\._]+)([\._][^\._]+)?[\._](?P<device>[a-zA-Z]{3,4}[a-zA-Z\d-]*))([\._])?"
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

man03359
Communicator
‎08-10-2023 06:52 AM

I need to extract till STP_Stores_DiskSpace_stp-44slcapp9 under the key field from the correlation id: STP_Stores_DiskSpace_stp-44slcapp9_20230809

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...