I have the following excerpt of exchange logs. There are more fields before and after this excerpt.
,awells@atcorp.com,awells@atcorp.com,Hi, my dear friend!,
The regex I have developed is:
,(?P[^,]*|,),(?P[^,]*|,),(?P[^,]*|,),]
Using comma (,) as a field delimiter
The first field "sender_address" is parsed as "awells@atcorp.com" - the desired result
The 2nd field "return_path" is parsed as "awells@atcorp.com" - the desired result
The 3rd field "message_subject" is parsed as "Hi," but it should be "Hi, my dear friend!"
I observed that a comma followed by character is field delimiter, but a comma followed by blank space is not.
Question: what is a correct regex for the 3rd field?
This regex appears to work as you want, and should work as long as there is a comma at the end of field three:
,(?<Field1>[^,]+),(?<Field2>[^,]+),(?<Field3>.*),
I tested and your solution does not work. The example string is listed below
,awells@atcorp.com,awells@atcorp.com,Hi, my dear friend! ,
Focusing on the 3rd field, the last two characters include a space between the ! , (exchamation mark + space + comma)
The field separator at the end of the 3rd field should be a space+comma. I have tried this
,(?[^,]+),(?[^,]+),(?.)\s, it does not work but
,(?[^,]+),(?[^,]+),(?.|\s), does
I do not understand why the first one does not work as the field separator is a space+comma
If the third field always ends with space+comma then this works for me:
,(?<field1>[^,]+),(?<field2>[^,]+),(?<field3>.+) ,
Thank you.
What is the difference between " " (blank space) and \s embedded in regex statements?
\s
matches any white space (space, tab, etc.) whereas ' ' matches only space. \s
is probably best practice. In your case, they should be interchangeable.
Correction
,(?[^,]+),(?[^,]+),(?.)\s, it does not work but
,(?[^,]+),(?[^,]+),(?.|\s), does
there is backward slash before the s
Can the field delimiter be changed? Is there another way to determine the end of field 3 (keyword, etc.)? Can fields be enclosed in quotes?
The complete regex should be
,(?P[^,]*|,),(?P[^,]*|,),(?P[^,]*|,),]
Somehow it was modified during the posting.
Just edited your post and comment so your regex renders correctly on this site.
I used to have that ability until the site was upgraded. How do I get it back?
Ah that's not good at all, thanks for letting me know. Let me look into it and I'll get back to you. (are you "Rich" in the IRC #splunk channel? If yes, I pinged ya earlier to chat about this, but wasn't sure if that was you lol)
No, not me. I don't use IRC.
Ah ok haha woops. Well just to get more info, you haven't been able to edit other users' posts since this site was updated back in September?
That's correct.