Splunk Search

regex help

alanhowlett
New Member

I'm trying to configure a field extraction but am getting some strange incisions in the output. I'm running the below regex
^(?:[^:\n]*:){4}\s+(?P[^|]+), but am seeing additional values. The output should be all uppercase, but I'm still getting some lowercase values after using the [A-Z] in the regex.

I've also tried to pin point the outputs using the below but still get the additions.
^(?:[^:\n])\s state\s:\s(?P[^|]+)

What I'm trying to configure is a field extraction of an uppercase word, but I need to ignore - ()[]{}|
The output should be - ROUTE_START
But I'm also seeing things like - I'm trying to configure a field extraction but am getting some strange incisions in the output. I'm running the below regex
^(?:[^:\n]*:){4}\s+(?P[^|]+), but am seeing additional values. The oput put should be all uppercase, but I'm still getting some lowercase values after using the [A-Z] in the regex.

I've also tried to pin point the outputs using the below but still get the additions.
^(?:[^:\n])\s state\s:\s(?P[^|]+)

What I'm trying to configure is a field extraction of an uppercase word, but I need to ignore - ()[]{}|
The out put should be - ROUTER
But I'm also seeing this like - [Order{

Thanks

0 Karma

gmchenry
Explorer

Another version that could work is:

(?:arrived in state : )(?P\w+)

0 Karma

risgupta
Path Finder

Try

state\s:\s(?P[A-Z_-]+)|[^|]+|$

and also you can use
https://regex101.com

This is very good site to learn and test your regex.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please provide some sample data that you are trying to validate with regex.

---
If this reply helps you, Karma would be appreciated.
0 Karma

alanhowlett
New Member

I can't supply the actual log as it has confidential banking information, but this is one from test.

Example of one of the messages:-

08:45:16.674 [2018-01-03T08:45:16.674+0000] 3950682 INFO [p-quote-13-13-L-1] --- LoggerUtil: STATE ENGINE|AA32699|Quote21849812-0|Quote message arrived in state : RECORD_KEEPING_END|110|

All I need to see is RECORD_KEEPING_END.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Does it always available as 2nd last value? If yes, give this regex a try

 state\s:\s(?P<State>[A-Z_-]+)\|[^\|]+\|$

https://regex101.com/r/24sjMS/1

0 Karma

alanhowlett
New Member

Thanks, that worked.

I was looking for the regex site as well. Very useful.

0 Karma

risgupta
Path Finder

You can use
https://regex101.com

This is very good site to learn and test your regex.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...