Splunk-Regex: Unterschied zwischen den Versionen
Aus Wiki-WebPerfect
Admin (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „== Replace function == == Replace with a regex capture== ''This regex in the replace function generates a new field "NewField" with the value of the first rege…“) |
Admin (Diskussion | Beiträge) |
||
| (6 dazwischenliegende Versionen des gleichen Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
| − | == Replace | + | [[Datei:Regular-expression.gif|right]] |
| + | |||
| + | == Replace== | ||
== Replace with a regex capture== | == Replace with a regex capture== | ||
''This regex in the replace function generates a new field "NewField" with the value of the first regex capture of the old field "OldField"'' | ''This regex in the replace function generates a new field "NewField" with the value of the first regex capture of the old field "OldField"'' | ||
| Zeile 11: | Zeile 13: | ||
***"?" = this group 0 or 1 times | ***"?" = this group 0 or 1 times | ||
*Group 2: | *Group 2: | ||
| − | **"[A-Za-z0-9\-]" = | + | **"[A-Za-z0-9\-]" = match upper and lower case A-Z or/and numbers from 0-9 or/and special character "-" escaped with "\" |
***"+" = match as many times as possible | ***"+" = match as many times as possible | ||
*Group 3: | *Group 3: | ||
| Zeile 26: | Zeile 28: | ||
Replace that with "\1" = group 1 | Replace that with "\1" = group 1 | ||
| + | |||
| + | |||
| + | == Named capturing group (?<Group-Name>) == | ||
| + | You can name a captured group with regex. | ||
| + | |||
| + | '''Example'''<br> | ||
| + | String: ''Test Regex the Value is 100%.'' <br> | ||
| + | You want the only value captured with the Group-Name of "Value"<br> | ||
| + | |||
| + | '''Regex-Definition''' | ||
| + | (?:[a-zA-Z|\s]+)(?<Value>[0-9]+)(?:\%\.) | ||
| + | ''Splunk Regex document from SplunkConf 2017: [[Datei:Regex-in-your-spl.pdf]] (Source = https://conf.splunk.com/files/2017/slides/regex-in-your-spl.pdf)'' | ||
Aktuelle Version vom 11. August 2020, 07:45 Uhr
Replace
Replace with a regex capture
This regex in the replace function generates a new field "NewField" with the value of the first regex capture of the old field "OldField"
| eval NewField=replace(OldField, "(?:SCVMM )?([A-Za-z0-9\-]+)(?: Resources( ?:\(1\))?)?", "\1")
Explanation Replacing "(?:SCVMM )?([A-Za-z0-9\-]+)(?: Resources( ?:\(1\))?)?"
- Group 1:
- "?:" = don't capture this group
- "SCVMM " = match this string
- "?" = this group 0 or 1 times
- Group 2:
- "[A-Za-z0-9\-]" = match upper and lower case A-Z or/and numbers from 0-9 or/and special character "-" escaped with "\"
- "+" = match as many times as possible
- "[A-Za-z0-9\-]" = match upper and lower case A-Z or/and numbers from 0-9 or/and special character "-" escaped with "\"
- Group 3:
- "?:" = don't capture this group
- " Resources" = match this string
- Group 4:
- "?:" = don't capture this group
- "\(" = escape "("
- "1" = match the number "1"
- "\)" = escape ")"
- "?" = this group 0 or 1 times
- Group 4:
- "?" = this group "group 3" 0 or 1 times
Replace that with "\1" = group 1
Named capturing group (?<Group-Name>)
You can name a captured group with regex.
Example
String: Test Regex the Value is 100%.
You want the only value captured with the Group-Name of "Value"
Regex-Definition
(?:[a-zA-Z|\s]+)(?<Value>[0-9]+)(?:\%\.)
Splunk Regex document from SplunkConf 2017: Datei:Regex-in-your-spl.pdf (Source = https://conf.splunk.com/files/2017/slides/regex-in-your-spl.pdf)
