Splunk Search

How to write the regex to extract a field with optional end anchors?

Cuyose
Builder

I haven't a clue why I cannot find this particular issue. I would think it would come up all the time. I want to extract text into a field based on a common start string and optional end strings.

Based on these 2 events, I want to extract the italics
Message=Layer SessionContext was missing. Key searched for was kt2oddg0cahtgoo13aotkf54.
Message=Could not derive start call POS key from: TPID=37, EAPID=0, SourceCode=TA, CID=, Brand=EAI

In other words, if there is an end string that matches Key, get everything before it and the beginning string, otherwise just grab it all up to /n

These will work, but I cannot get them combined.

 rex field=_raw "(?i)Message=(?P<testMessage>.*?)\bKey"
 rex field=_raw "(?i)Message=(?P<testMessage>.*?)\n"
0 Karma

woodcock
Esteemed Legend

Try this:

rex field=_raw "(?i)Message=(?<testMessage>.*?)(?:\bKey|\n)

bmacias84
Champion

?: is a non-capturing group.

0 Karma

Cuyose
Builder

Perfect, I am not sure why I couldnt find the (?:\bKey|\n)" syntax.

so in the above the "(?:" portion is stating an optional lookbehind?

0 Karma

woodcock
Esteemed Legend

Also, @Cuyose, you should click Accept to close the question and let people find working answers more easily.

0 Karma

woodcock
Esteemed Legend

No, the (?:) syntax says "treat this as a group but not a capture-group". So it says that the thing before it must end with either \bkey or with \n. There is no need for lookbehind.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...