I'm trying to use this niffty regex generator using the perl option.
http://txt2re.com/index-java.php3?s=%3CTAG\b[^%3E]*%3E%28.*?%29%3C/TAG%3E&-24
I get the code from that page in perl format and then try to use it in splunk as REX:
... | rex
("$re1='(file)'; # Word 1
$re2='(:)'; # Any Single Character 1
$re3='(\\/)'; # Any Single Character 2
$re4='((?:\\/[\\w\\.\\-]+)+)'; # Unix Path 1
$re5='( )'; # White Space 1
$re6='(does)'; # Word 2
$re7='( )'; # White Space 2
$re8='(not)'; # Word 3
$re9='( )'; # White Space 3
$re10='(exist)'; # Word 4
$re=$re1.$re2.$re3.$re4.$re5.$re6.$re7.$re8.$re9.$re10;
if ($txt =~ m/$re/is)
{
$word1=$1;
$c1=$2;
$c2=$3;
$unixpath1=$4;
$ws1=$5;
$word2=$6;
$ws2=$7;
$word3=$8;
$ws3=$9;
$word4=$10;
}")
here's the error I get:
Error in 'rex' command: The regex '$re1='(file)'; # Word 1 $re2='(:)'; # Any Single Character 1 $re3='(\/)'; # Any Single Character 2 $re4='((?:\/[\w\.\-]+)+)'; # Unix Path 1 $re5='( )'; # White Space 1 $re6='(does)'; # Word 2 $re7='( )'; # White Space 2 $re8='(not)'; # Word 3 $re9='( )'; # White Space 3 $re10='(exist)'; # Word 4 $re=$re1.$re2.$re3.$re4.$re5.$re6.$re7.$re8.$re9.$re10; if ($txt =~ m/$re/is) { $word1=$1; $c1=$2; $c2=$3; $unixpath1=$4; $ws1=$5; $word2=$6; $ws2=$7; $word3=$8; $ws3=$9; $word4=$10; }' does not extract anything. It should specify at least one named group. Format: (?<name>...).
Well that's Perl CODE, not a regular expression. While that tool seems nifty enough, I think you'll have more headaches trying to grab a raw regex from it than it's worth. Splunk's own field extractor has this kind of functionality, why not use that?
you can also use the 'erex' command.
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Erex
I find the field extractor hard to work with... when you go into extract fields if the data your looking to extract isn't part of the sample then you kinda have a hard time.