Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex for ending with a particular pattern

xvxt006
Contributor
‎09-07-2013 03:38 PM

Hi,

I am want to get all the events ending with a referrer url of the below format.

http://www.company.com/product/Glasses-PR37323 
http://www.company.com/search?keyword=PR12389

So i tried:

| regex Referrer=*PR\d{5}$

But did not work. Any suggestions please?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎09-07-2013 07:01 PM

You've got a couple of syntax errors there. You need double quotes around the regular expression, and your regular expression has a couple of problems. (also, that is an oddly non-traditional spelling for the fieldname, (although a proper spelling of the word) so I would check on that to be sure...

What you want is this:

| regex Referrer = "PR\d{5}$"

the regex command is a kind of a match for "keepit" or "don't keep it" so you don't have to try to accommodate the rest of the string. If it finds that pattern, in the field you specify, it will keep or not keep depending upon your operator.

In this case, the asterisk isn't doing anything.

In regular expressions it isn't really a "wildcard" character. It matches 0 or more of the preceding token. so 87* will match 877 but luckily in this case you don't have to worry about that.

Now, without the asterisk, your regular expression is only looking for this: PRddddd. You need to escape the d so that it means digit and it will repeat only that character.

I think you'll be in business now.

I highly recommend this website for testing out your regular expressions.
Super helpful:

http://gskinner.com/RegExr/

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

Reply
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎09-07-2013 07:01 PM

You've got a couple of syntax errors there. You need double quotes around the regular expression, and your regular expression has a couple of problems. (also, that is an oddly non-traditional spelling for the fieldname, (although a proper spelling of the word) so I would check on that to be sure...

What you want is this:

| regex Referrer = "PR\d{5}$"

the regex command is a kind of a match for "keepit" or "don't keep it" so you don't have to try to accommodate the rest of the string. If it finds that pattern, in the field you specify, it will keep or not keep depending upon your operator.

In this case, the asterisk isn't doing anything.

In regular expressions it isn't really a "wildcard" character. It matches 0 or more of the preceding token. so 87* will match 877 but luckily in this case you don't have to worry about that.

Now, without the asterisk, your regular expression is only looking for this: PRddddd. You need to escape the d so that it means digit and it will repeat only that character.

I think you'll be in business now.

I highly recommend this website for testing out your regular expressions.
Super helpful:

http://gskinner.com/RegExr/

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply
Solved! Jump to solution

xvxt006
Contributor
‎09-09-2013 06:04 AM

Thank you for the detailed explanation. I will try this and let you know.

0 Karma
Reply
Solved! Jump to solution

rturk
Builder
‎09-07-2013 06:55 PM

Hi xvxt006,

Are you tring to do this via the search interface? If so, your syntax is incorrect. Try this:

<search> | rex "PR(?<referrer>\d+)"

This assumes that:

  • You do not have multilines event
  • The referrer is always preceded with PR
  • The referrer ID is always numerical.

The regex command is used to remove or keep results that match the regular expression (i.e. not for field extraction).

References:

Hope this helps!

If this answers your question don't forget to upvote and mark as answered so other people with the same issue can be helped as well 🙂

0 Karma
Reply
Solved! Jump to solution

xvxt006
Contributor
‎09-09-2013 11:06 AM

I have asked this in a separate thread too. But just want to check with you guys to see if you can help me with this one too as it is similar.

I am planning to capture all the URIs with word chaser (case insensitive).

I have used this
| regex uri="(?i)Chaser(?:[^\"])"

but did not get any results. do i need to include anything in the regex?
Thanks for your help.

Below are few examples.

1) /gdfgfd/N-/Ntt-MILWAUKEEFUEL?pm_sp=CS_Chaser--PO_L3_Multi--werwerdfg

2)/CHASER-STAKES-rOutdoor-brother-Retractable-6trJ3?we_sp=IO--PDI--RR_VTV70300505&cm_vc=WSPRRZ1

0 Karma
Reply
Solved! Jump to solution

xvxt006
Contributor
‎09-09-2013 06:06 AM

Yes it is not about filed extraction.. Thank you both for your inputs. Yes i will mark it once i test it.

0 Karma
Reply
Solved! Jump to solution

rturk
Builder
‎09-07-2013 07:12 PM

Ahhh you might be correct 🙂

0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎09-07-2013 07:10 PM

I don't think the question was about field extraction... but I guess we'll see. 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...