Splunk-Regex
Aus Wiki-WebPerfect
Version vom 11. Juni 2019, 11:47 Uhr von Admin (Diskussion | Beiträge)
Replace
Replace with a regex capture
This regex in the replace function generates a new field "NewField" with the value of the first regex capture of the old field "OldField"
| eval NewField=replace(OldField, "(?:SCVMM )?([A-Za-z0-9\-]+)(?: Resources( ?:\(1\))?)?", "\1")
Explanation Replacing "(?:SCVMM )?([A-Za-z0-9\-]+)(?: Resources( ?:\(1\))?)?"
- Group 1:
- "?:" = don't capture this group
- "SCVMM " = match this string
- "?" = this group 0 or 1 times
- Group 2:
- "[A-Za-z0-9\-]" = match upper and lower case A-Z or/and numbers from 0-9 or/and special character "-" escaped with "\"
- "+" = match as many times as possible
- "[A-Za-z0-9\-]" = match upper and lower case A-Z or/and numbers from 0-9 or/and special character "-" escaped with "\"
- Group 3:
- "?:" = don't capture this group
- " Resources" = match this string
- Group 4:
- "?:" = don't capture this group
- "\(" = escape "("
- "1" = match the number "1"
- "\)" = escape ")"
- "?" = this group 0 or 1 times
- Group 4:
- "?" = this group "group 3" 0 or 1 times
Replace that with "\1" = group 1
Named capturing group
You can name a captured group with regex. Example (you want the only value captured with the Group-Name of "Value"
(?:[a-zA-Z|\s]+)(?<Value>[0-9]+)(?:\%\.)