Splunk Search

How do I add this regex string to my search?

cj039165
New Member

Hello -

I have the search running below. How do I add "AAA*Y**80*" to the search?

Search:

index=hdx_payer sourcetype=hdx_payer_receive_logs | regex "AAA*Y**42*"

Thanks

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Like this
Update#2- per latest comment

index=hdx_payer sourcetype=hdx_payer_receive_logs | regex _raw="(AAA.*Y.*42.*|AAA.*Y.*80.*)"

OR

index=hdx_payer sourcetype=hdx_payer_receive_logs | regex _raw="(AAA.Y..42.*|AAA.Y..80.*)"

View solution in original post

gabriel_vasseur
Contributor

You'll get much better help if you clarify a number of things.
What does the * mean in your question? It doesn't seem to be the regular expression *. Your example has Y** which isn't a valid regex due to the two * in a row (that's what's causing the "nothing to repeat" error).
It would help a lot if you gave example of the things you want to match.
Also, you need to confirm if you want both your patterns to match or either. Is this an AND or an OR that you want?

0 Karma

cj039165
New Member

Sorry for the confusion. Our files contain what are called triple A errors. For this question there are two AAA errors that are showing up in a file. They are AAA*Y*41 and AAA*Y80. The asterix you see are delimiters in the files. That is exactly how the AAA error looks. I'm not using the asterix as wide cards. I know I have to regex around them, I'm having trouble adding two AAA errors into one search. I'm looking for AAA*Y41 OR AAA*Y*80. I want to find them both. Thanks.

0 Karma

cj039165
New Member

Sorry, I was not clear.

How I'm trying to search for AAA*Y*41 and AAA*Y*80 in a log file. I have to regex around both of these. I'm having trouble getting the two regex's into one search.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try the updated answer.

0 Karma

dcharboneau_spl
Splunk Employee
Splunk Employee

index=hdx_payer sourcetype=hdx_payer_receive_logs | regex _raw= "AAA*Y*42"

http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Regex

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Like this
Update#2- per latest comment

index=hdx_payer sourcetype=hdx_payer_receive_logs | regex _raw="(AAA.*Y.*42.*|AAA.*Y.*80.*)"

OR

index=hdx_payer sourcetype=hdx_payer_receive_logs | regex _raw="(AAA.Y..42.*|AAA.Y..80.*)"

cj039165
New Member

I tried that. Here is the error I got:

Error in 'SearchOperator:regex': The regex '(AAA*Y*42|AAA*Y*80)' is invalid. Regex: nothing to repeat

0 Karma

somesoni2
SplunkTrust
SplunkTrust

How about the the updated#2?

0 Karma

sundareshr
Legend

If the string has a literal char * you will have to escape it, like this

... | regex "AAA\*Y\*\*42\*"
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...