Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me understand the syntax of this rex feld and where such commands are used?

maheshsat
Explorer
‎01-01-2018 07:03 PM

rex field=GB"(?[^]+)"

Hi Team, can any help me to understand each syntax in above command and also would like to know where such commands are used

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-02-2018 04:25 AM 
Term    Description Example Explanation
*   Match zero or more times.   \w* Matches zero or more word characters.
+   Match one or more times.    \d+ Match at least one digit.
 ?  Match zero or one time. \d\d\d-?\d\d-?\d\d\d\d  Matches a Social Security Number with or without dashes.
( ) Parentheses define match or capture groups, atomic groups, and lookarounds. (H..).(o..) When given the string Hello World, this matches Hel and o W.
[ ] Square brackets define character classes.   [a-z0-9#]   Matches any character that is a through z, 0 through 9, or #.
{ } Curly brackets define repetitions.  \d{3,5} Matches a string of 3 to 5 digits in length.
< > Angle brackets define named capture groups. Use the syntax (?P<var> ...) to set up a named field extraction.    (?P<ssn>\d\d\d-\d\d-\d\d\d\d)   Pulls out a Social Security Number and assigns it to the ssn field.
[[ ]]   Double brackets define Splunk-specific modular regular expressions. [[octet]]   A validated 0-255 range integer.

Also refer this link where you can learn and write regex for specific events
https://regex101.com/

Let me know if this helps you!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

maheshsat
Explorer
‎01-02-2018 06:17 AM

Thank everyone for helping me

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-02-2018 06:39 AM

@maheshsat, if your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-02-2018 04:25 AM 
Term    Description Example Explanation
*   Match zero or more times.   \w* Matches zero or more word characters.
+   Match one or more times.    \d+ Match at least one digit.
 ?  Match zero or one time. \d\d\d-?\d\d-?\d\d\d\d  Matches a Social Security Number with or without dashes.
( ) Parentheses define match or capture groups, atomic groups, and lookarounds. (H..).(o..) When given the string Hello World, this matches Hel and o W.
[ ] Square brackets define character classes.   [a-z0-9#]   Matches any character that is a through z, 0 through 9, or #.
{ } Curly brackets define repetitions.  \d{3,5} Matches a string of 3 to 5 digits in length.
< > Angle brackets define named capture groups. Use the syntax (?P<var> ...) to set up a named field extraction.    (?P<ssn>\d\d\d-\d\d-\d\d\d\d)   Pulls out a Social Security Number and assigns it to the ssn field.
[[ ]]   Double brackets define Splunk-specific modular regular expressions. [[octet]]   A validated 0-255 range integer.

Also refer this link where you can learn and write regex for specific events
https://regex101.com/

Let me know if this helps you!

0 Karma
Reply
Solved! Jump to solution

nikita_p
Contributor
‎01-02-2018 04:02 AM

Hi @maheshsat,
you can check below splunk docs to understand regular expressions syntax.
https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/AboutSplunkregularexpressions

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-02-2018 03:06 AM

rex: the command for inline field extractions, see http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/rex
field=GB: use that field to extract from
(): regex capturing group
?<gb>: name the group gb, resulting in a field called gb
[]: regex character class
^: negates whatever is after the ^ in the character class, this is missing in your example. If it were [^a], this would match every character except an a
+: one or more matches

Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-02-2018 02:10 AM

please use 101010 and type your rex query there.

0 Karma
Reply
Solved! Jump to solution

maheshsat
Explorer
‎01-02-2018 02:54 AM 
rex field=GB"(?<gb>[^]+)"
0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-02-2018 01:56 AM

Make sure you have the correct SPL string, and use the code sample button in the editor to post it here to include all special chars.

As it's readable in your current question there are several syntax issues.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...