- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: First match from end of the line regex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Everyone,
Trying to get the expression to read first match from the end off the line and not the beginning of the line.
| makeresults | eval TEST="beginning of line Facility=test341 Message=test123 end of line" | rex field=TEST max_match=0 "(?i)(?<testfromend>(Facility\=|Message\=)[^$]*)" | mvcombine testfromend
Was hoping this would extract "Message=test123 end of line". Instead i get Facility= and everything after because its reading from the beginning of the line still.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey subtrakt,
try this one:
(?i).*(?<testfromend>(Facility\=|Message\=)[^$]*?)$
Update: even better:
(?i)(?<testfromend>(Facility\=|Message\=)[^\=]*?)$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey subtrakt,
try this one:
(?i).*(?<testfromend>(Facility\=|Message\=)[^$]*?)$
Update: even better:
(?i)(?<testfromend>(Facility\=|Message\=)[^\=]*?)$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ended up using the first solution.
I guess the .* enables the search from end of line and a more flexible option.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey subtrakt,
why not use (?i)(?<testfromend>Message\=[^$]*) then?
BUT... if you want to extract the value of facility and of message do the following:
(?i)Facility=(?<facility>[^\s]*)\s*Message=(?<message>.*)
https://regex101.com/r/DGZX5X/1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's other cases in the logs that require different conditions searching from the end of the line.
After testing around all those conditions I found the answer selected was the best global option.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Pyro.
Just experimenting without using eval and creating unnecessary fields. The condition requires message to always take precedence.
Sometimes Message= is not in the log. Sometimes it is. When message is not in the log, it needs to capture Facilility to end of line.
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
Splunk APM: New Product Features + Community Office Hours Recap!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
