- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Another RegEx Question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been engaged in an arm wresting content with Splunk for the past couple of hours with regex and it has been beating me pretty soundly. I have read the Splunk docs and looked at the various regex help sites but I can't get it working. In fact, my regex works on http://rubular.com/ just fine. But when I put it in a search is barfs.., then laughs at me.
I have weblog data and I would like to search for COMPANY\userID and place userID in a label for use down the pipeline. This is what the data looks like
2014-03-19 12:58:00 W3SVXYZ 10.0.0.1 POST COMPANY\userID 10.1.1.1 .....
2014-03-19 12:59:00 W3SVXYZ 10.0.0.1 GET COMPANY\userID 10.2.2.2 .....
I would like to extract the userID and then perform stats on them (number of concurrent users, etc).
My code so far that works in Perl is "COMPANY\\w+" but when I use it in splunk it tanks.
<base search> | rex field=_raw "COMPANY\\\w+(?<testID>)"
It does not populate the testID field correctly and it also includes results that do not have COMPANY in it.
Thanks in advance for any tips or tricks! Mike
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
<base search=""> | rex field=_raw "COMPANY\\\(?<testid>\w+)"
The parenthesis are the regex capturing group, and the expression of the items you're trying to capture must be inside the parenthesis to be extracted as the field value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
<base search=""> | rex field=_raw "COMPANY\\\(?<testid>\w+)"
The parenthesis are the regex capturing group, and the expression of the items you're trying to capture must be inside the parenthesis to be extracted as the field value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To escape " , we added 1 slash. To escape that slash we added another two slashes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 slashes did it! Any comment on why three are needed in this case? Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use 3 slashes and no space.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response - Using the above regex yields an error - "unmatched parentheses" But when I place a space after the double backslash the results are not correct. It almost appears that the backslash in "COMPANY\userID" is not being found by the regex
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
