All,
I just wanted to ask a question I should probably know the answer to, but have never been told, or found resources which answers the question...
I am still fairly new to Regular Expressions, and not aware if this is a specific Splunk question or a RegEx question...
What are the meanings of the values such as (?i) (?P<fieldname>)
<-i.e. the "?P
" ?
Is there any documentation on this?
Regards,
MHibbin
(?i) = ignore case
P = added by the python generated regex if you use the Interactive field extractor. Used for grouping.
It will work without the P.
(?< >) = the field name you want to create base on the group extraction.
You can find examples here:
http://docs.splunk.com/Documentation/Splunk/4.2.4/Knowledge/Createandmaintainsearch-timefieldextract...
the letter P didnt do any harm when i used in splunk web search with "rex". But if i use the word in props.conf, it fails to extract field. Not sure why.
Can you post your regex here?
This is a PCRE (perl compatible regular expression) declaration of a named capture.
The website http://www.regular-expressions.info/named.html gives a lot of explanation and examples.
Useful link thanks BobM
(?i) = ignore case
P = added by the python generated regex if you use the Interactive field extractor. Used for grouping.
It will work without the P.
(?< >) = the field name you want to create base on the group extraction.
You can find examples here:
http://docs.splunk.com/Documentation/Splunk/4.2.4/Knowledge/Createandmaintainsearch-timefieldextract...
Thanks for explanation, thanks rroberts
The ?P
means matched strings are available in the rest of the regex. Most often you probably don't need this.
Splunk uses Python's regex engine, so this documentation is valid: http://docs.python.org/library/re.html
Useful information thanks Ayn