Splunk-Regex

Aus Wiki-WebPerfect
Version vom 16. Mai 2019, 14:24 Uhr von Admin (Diskussion | Beiträge)

(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Wechseln zu: Navigation, Suche

Replace function

Replace with a regex capture

This regex in the replace function generates a new field "NewField" with the value of the first regex capture of the old field "OldField"

| eval NewField=replace(OldField, "(?:SCVMM )?([A-Za-z0-9\-]+)(?: Resources( ?:\(1\))?)?", "\1")

Explanation Replacing "(?:SCVMM )?([A-Za-z0-9\-]+)(?: Resources( ?:\(1\))?)?"

  • Group 1:
    • "?:" = don't capture this group
    • "SCVMM " = match this string
      • "?" = this group 0 or 1 times
  • Group 2:
    • "[A-Za-z0-9\-]" = letters in upper- and lowercase or/and numbers or/and the special character "-"
      • "+" = match as many times as possible
  • Group 3:
    • "?:" = don't capture this group
    • " Resources" = match this string
      • Group 4:
        • "?:" = don't capture this group
        • "\(" = escape "("
        • "1" = match the number "1"
        • "\)" = escape ")"
          • "?" = this group 0 or 1 times
    • "?" = this group "group 3" 0 or 1 times

Replace that with "\1" = group 1