Splunk Search

Regex help - sourcetypes with hyphens, -too_small, & -\d+

Runals
Motivator

Relative to sourcetypes I'm trying to come up with a regex to pull out the 'root' being sensitive to the naming convention for ones that Splunk has attempted to learn (-too_small & -#). What is tripping me up is when a sourcetype has a hyphen in it already. This regex gets me pretty close but if anyone can recommend a tweak I'd be all ears.

| rex field=sourcetype "(?<st>[^-]+)(?<d>-too_small$|-\d+$)?" 

So for example if my sourcetype is 'my-sourcetype' the regex above will return 'my'

Tags (1)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Use this instead:

| rex field=sourcetype "^(?<st>.+?)(?<d>-too_small|-\d+)?$"

I made these changes:

  • Allow hyphens in <st>
  • Make <st> non-greedy to avoid eating up <d>
  • Move the $ anchor out of the optional <d> to force the non-greedy <st> to go all the way
  • Added a ^ anchor - for prettiness/readability, no functional need because <st> will start at the beginning anyway

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Use this instead:

| rex field=sourcetype "^(?<st>.+?)(?<d>-too_small|-\d+)?$"

I made these changes:

  • Allow hyphens in <st>
  • Make <st> non-greedy to avoid eating up <d>
  • Move the $ anchor out of the optional <d> to force the non-greedy <st> to go all the way
  • Added a ^ anchor - for prettiness/readability, no functional need because <st> will start at the beginning anyway
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...