Solved: Re: Can you help me understand the syntax of this ...

maheshsat · ‎01-01-2018

rex field=GB"(?[^]+)"

Hi Team, can any help me to understand each syntax in above command and also would like to know where such commands are used

mayurr98 · ‎01-02-2018

Term    Description Example Explanation
*   Match zero or more times.   \w* Matches zero or more word characters.
+   Match one or more times.    \d+ Match at least one digit.
 ?  Match zero or one time. \d\d\d-?\d\d-?\d\d\d\d  Matches a Social Security Number with or without dashes.
( ) Parentheses define match or capture groups, atomic groups, and lookarounds. (H..).(o..) When given the string Hello World, this matches Hel and o W.
[ ] Square brackets define character classes.   [a-z0-9#]   Matches any character that is a through z, 0 through 9, or #.
{ } Curly brackets define repetitions.  \d{3,5} Matches a string of 3 to 5 digits in length.
< > Angle brackets define named capture groups. Use the syntax (?P<var> ...) to set up a named field extraction.    (?P<ssn>\d\d\d-\d\d-\d\d\d\d)   Pulls out a Social Security Number and assigns it to the ssn field.
[[ ]]   Double brackets define Splunk-specific modular regular expressions. [[octet]]   A validated 0-255 range integer.

Also refer this link where you can learn and write regex for specific events
https://regex101.com/

Let me know if this helps you!

View solution in original post

maheshsat · ‎01-02-2018

Thank everyone for helping me

richgalloway · ‎01-02-2018

@maheshsat, if your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.

mayurr98 · ‎01-02-2018

Term    Description Example Explanation
*   Match zero or more times.   \w* Matches zero or more word characters.
+   Match one or more times.    \d+ Match at least one digit.
 ?  Match zero or one time. \d\d\d-?\d\d-?\d\d\d\d  Matches a Social Security Number with or without dashes.
( ) Parentheses define match or capture groups, atomic groups, and lookarounds. (H..).(o..) When given the string Hello World, this matches Hel and o W.
[ ] Square brackets define character classes.   [a-z0-9#]   Matches any character that is a through z, 0 through 9, or #.
{ } Curly brackets define repetitions.  \d{3,5} Matches a string of 3 to 5 digits in length.
< > Angle brackets define named capture groups. Use the syntax (?P<var> ...) to set up a named field extraction.    (?P<ssn>\d\d\d-\d\d-\d\d\d\d)   Pulls out a Social Security Number and assigns it to the ssn field.
[[ ]]   Double brackets define Splunk-specific modular regular expressions. [[octet]]   A validated 0-255 range integer.

Also refer this link where you can learn and write regex for specific events
https://regex101.com/

Let me know if this helps you!

nikita_p · ‎01-02-2018

Hi @maheshsat,
you can check below splunk docs to understand regular expressions syntax.
https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/AboutSplunkregularexpressions

martin_mueller · ‎01-02-2018

rex: the command for inline field extractions, see http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/rex
field=GB: use that field to extract from
(): regex capturing group
?<gb>: name the group gb, resulting in a field called gb
[]: regex character class
^: negates whatever is after the ^ in the character class, this is missing in your example. If it were [^a], this would match every character except an a
+: one or more matches

mayurr98 · ‎01-02-2018

please use 101010 and type your rex query there.

maheshsat · ‎01-02-2018

rex field=GB"(?<gb>[^]+)"

martin_mueller · ‎01-02-2018

Make sure you have the correct SPL string, and use the code sample button in the editor to post it here to include all special chars.

As it's readable in your current question there are several syntax issues.

Can you help me understand the syntax of this rex feld and where such commands are used?

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024