Splunk Search

How to use wildcard inside string regex?

limalbert
Path Finder

The log contains string in this format below.

name:X_device:Y_
name-U:X1_Y2_

It has a mixed pattern, and I'm wondering how to use wildcard if I do the regex for name and device in a string (inside double quotations) like below?

rex "name *wildcard* (?<name>\w*)_"
rex "device *wildcard* (?<device>\w*)_"
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

This should do it. (runanywhere sample search. Replace everything before rex with your search)

| gentimes start=-1 | eval raw="name:X_device:Y_#name-U:X1_Y2_" | table raw | makemv raw delim="#" | mvexpand raw | rename raw as _raw 
|rex "name[^:]*:(?<name>[^_]+)_(device:)*(?<device>[^_]+)"

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

This should do it. (runanywhere sample search. Replace everything before rex with your search)

| gentimes start=-1 | eval raw="name:X_device:Y_#name-U:X1_Y2_" | table raw | makemv raw delim="#" | mvexpand raw | rename raw as _raw 
|rex "name[^:]*:(?<name>[^_]+)_(device:)*(?<device>[^_]+)"

limalbert
Path Finder

Thank you! This works!

0 Karma

yuanliu
SplunkTrust
SplunkTrust

The concept of "wildcard" is more refined in regex so you just have to use the regex format. If you expect 0 or more repetitions of any character, for example, you would use .* instead if just *.

In regex, * means 0 or more repetition of any character preceding it; in one of your examples, name *wildcard*, the first "*" represents 0 or more white spaces, whereas the second "*" represents 0 or more letter "d". If you want your "wildcard" to represent any character in any repetition, you precede "*" with special character ".", which in regex can represent any singe character.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Hey @limalbert, Please format any search/code/data sample that you post using code button (button with '101010' above the editor) or by pressing Ctrl+K.

In the 2nd example, there is no keyword for device, is that correct or typo? Are you looking for wildcarding the one which I highlighed here: name**:**X and name**-U:**X1 ??

0 Karma

limalbert
Path Finder

Hi @somesoni,

I edited the question.

For the second example for device, there is no keyword, and that's why it's a little bit difficult. I found another alternate to wildcard by using this (?:[^/]+)?. I successfully use this to get name field, but I'm still working on the device since it doesn't have keyword.

rex "name(?:[^/]+)?:(?<name>\w*)_"
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try (single rex to extract both)

rex "name[^\:]+\:(?<name>\w+)_(device\:)*(?<device>\w+)"
0 Karma

limalbert
Path Finder

Sorry, the output for device is actually only "Y". It only give the one with keyword, but it doesn't give the one without keyword.

0 Karma

limalbert
Path Finder

Can you help me understand what you did after name? Specifically this one, [^:]+.
Also, it works to get only the first device, so the only output is device:Y.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...