Solved: Can i write a conditional regular expression?

royimad · ‎04-11-2013

Hello Splunk Expert,
I'm writing a regular expression rex to extract a new field from a log with multi line.
The log is as following

Event 1: 2012/03/20 ERROR ABC - XYX
.... multi lines

Event 2: 2012/04/20 ERROR ABC - KLM
Event 3: 2012/04/29 FATAL CDR - SKL
.... multi lines

I need to get 2 lines started from "-" or one line if multi lines doesn't exist, so a conditional regular expression:

My regular expression example is getting 50 characters if exist after the "-" but if those 50 characters doesn't exist my regular expression didn't extract KLM wich is 3 characters.
(?-.{50})

Lines length is varied sometimes more sometimes less than 50 characters.

So how to write a regular expression to extract one line after the "-" and 2 lines if exist after the "-"?

Thanks,
Roy

kristian_kolb · ‎04-11-2013

The following works in a regex testing tool (don't have a splunk on me right now). Added the Splunk specific field extraction stuff.

(?m)\s-\s(?<description>([\w\s]+$?[\w\s]+))

Right now it requires [\w\s]+ on both sides of an optional linebreak. If your events contain other characters in the message, you'll have to add them to the character classes (e.g +:;.,?!% etc).

Minimum length will be 2 otherwise the regex will fail.

UPDATE:

It seems that my regex skill were not up to speed: this seems to be a case where you have to double your backslashes in the specification of the pattern you want to capture;

   ... | rex "(?m)\s+-+\s+(?<AAA>([\\s\\w.\\[\\]:/]+\$?[\\s\\w.\\[\\]:/]+))" | ...

which should capture the following characters [\s\w.\[\]:/] on each side of an optional $. As you can see above, the newline needs to be escaped as well. Why it works this way.. dunno.

http://stackoverflow.com/questions/6288181/javascript-regex-nothing-to-repeat-error gave me the idea to try it, and it worked. Anyone with deeper understanding, willing to share?

Tested and working on 5.0.2.

Kristian

View solution in original post

kristian_kolb · ‎04-11-2013

The following works in a regex testing tool (don't have a splunk on me right now). Added the Splunk specific field extraction stuff.

(?m)\s-\s(?<description>([\w\s]+$?[\w\s]+))

Right now it requires [\w\s]+ on both sides of an optional linebreak. If your events contain other characters in the message, you'll have to add them to the character classes (e.g +:;.,?!% etc).

Minimum length will be 2 otherwise the regex will fail.

UPDATE:

It seems that my regex skill were not up to speed: this seems to be a case where you have to double your backslashes in the specification of the pattern you want to capture;

   ... | rex "(?m)\s+-+\s+(?<AAA>([\\s\\w.\\[\\]:/]+\$?[\\s\\w.\\[\\]:/]+))" | ...

which should capture the following characters [\s\w.\[\]:/] on each side of an optional $. As you can see above, the newline needs to be escaped as well. Why it works this way.. dunno.

http://stackoverflow.com/questions/6288181/javascript-regex-nothing-to-repeat-error gave me the idea to try it, and it worked. Anyone with deeper understanding, willing to share?

Tested and working on 5.0.2.

Kristian

kristian_kolb · ‎04-11-2013

see update above /k

royimad · ‎04-11-2013

I have try it on Field Extraction:
Encountered the following error while trying to update: In handler 'props-extract': Regex: nothing to repeat

royimad · ‎04-11-2013

I need to extract one line if their is no other lines and 2 lines if multi lines exist.

kristian_kolb · ‎04-11-2013

I believe the reason for the regex failing is that you specify it to be exactly 50 characters. This cannont happen, since you reach the end of the event (line) before that.

If I understand your situation, you want to capture 50 characters after the "-", or until the end of the line, if that is shorter?

Or do you want to get the whole line 2 in case of a multi-line event?

Can i write a conditional regular expression?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life