Solved: reverse regular expression to capture text started...

royimad · ‎08-28-2013

Is there a reverse regular expression that start with an end line and begin with a characters
Example:
I have a regular expression that i would like to use the same concept but in reverse order.
Hereby the regular expression:

| rex field=_raw "(?ms)?<capture>Total.*)^"

I need to use the same concept but in reverse order without changing the subject , same characters *,^ If this is not possible i will learn something else but actually i prefer to do it with the same concept.

Finding the last dash in capture in reverse order and going to the second dash with the right order not the reverse.

kristian_kolb · ‎08-28-2013

Hm, I guess that you want to anchor the regex to the end of a string (with a $). Something like this perhaps. Assuming that you have a field that contains;

My powerful crane stands proudly, looking out over the building site as the sun sets. I really think it is beautiful. I love cranes.

To capture the last sentence the following regex will work;

rex field=my_text "\.\s(?<last_sentence>[\w\s]+\.)$"

Now the field last_sentence has the value I love cranes.

/K

But as Ayn says, provide some sample events, and what you want to extract.

View solution in original post

Ayn · ‎08-28-2013

Fair enough, an answer with about the same detail: yes, it can be done.

royimad · ‎08-28-2013

It is simply as that:
Start with the end of a text and go to the last characters up, can this be done?

kristian_kolb · ‎08-28-2013

Hm, I guess that you want to anchor the regex to the end of a string (with a $). Something like this perhaps. Assuming that you have a field that contains;

My powerful crane stands proudly, looking out over the building site as the sun sets. I really think it is beautiful. I love cranes.

To capture the last sentence the following regex will work;

rex field=my_text "\.\s(?<last_sentence>[\w\s]+\.)$"

Now the field last_sentence has the value I love cranes.

/K

But as Ayn says, provide some sample events, and what you want to extract.

Rob · ‎08-28-2013

+1 for the crane

rturk · ‎08-28-2013

Seconded - shut up and take my karma! 🙂

Ayn · ‎08-28-2013

Upvoted for "My powerful crane stands proudly"

Ayn · ‎08-28-2013

Also please make sure you get formatting in code blocks correct. Code blocks should be indented by 4 spaces at the start of each line. Without that, characters like * will mess up the formatting and your regexes will not show as they should.

Ayn · ‎08-28-2013

Again, show an example. Including sample event. I've no idea what the text you're trying to match something against looks like.

royimad · ‎08-28-2013

I'm thinking of that:

sourcetype="imap" 
| rex field=_raw "(?ms)(?<capture>Total.*)^" 
| rex field=capture "-(?<dash>.*)" 
| rex field=dash "-(?<seconddash>.*)" 
| rex field=seconddash "-(?<thirddash>.*)"
| rex field=thirddash "-(?<fourthdash>.*)"
| rex field=fourthdash "-(?<fifthdash>.*)"
| rex field=fifthdash "-(?<sixdash>.*)"
| rex field=sixdash "-(?<sevendash>.*)"

But it appear that is a long way to finish, The reverse order will make much more sense.

Ayn · ‎08-28-2013

It's a bit confusing. What do you mean by reverse in this case? Can you give us a specific example of what you want to do, because I think you're making this sound a bit more complicated than it needs to be 🙂

reverse regular expression to capture text started by end line and ending with begining of a character

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life