Splunk-Regex

Aus Wiki-WebPerfect
Wechseln zu: Navigation, Suche
Regular-expression.gif

Replace

Replace with a regex capture

This regex in the replace function generates a new field "NewField" with the value of the first regex capture of the old field "OldField"

| eval NewField=replace(OldField, "(?:SCVMM )?([A-Za-z0-9\-]+)(?: Resources( ?:\(1\))?)?", "\1")

Explanation Replacing "(?:SCVMM )?([A-Za-z0-9\-]+)(?: Resources( ?:\(1\))?)?"

  • Group 1:
    • "?:" = don't capture this group
    • "SCVMM " = match this string
      • "?" = this group 0 or 1 times
  • Group 2:
    • "[A-Za-z0-9\-]" = match upper and lower case A-Z or/and numbers from 0-9 or/and special character "-" escaped with "\"
      • "+" = match as many times as possible
  • Group 3:
    • "?:" = don't capture this group
    • " Resources" = match this string
      • Group 4:
        • "?:" = don't capture this group
        • "\(" = escape "("
        • "1" = match the number "1"
        • "\)" = escape ")"
          • "?" = this group 0 or 1 times
    • "?" = this group "group 3" 0 or 1 times

Replace that with "\1" = group 1


Named capturing group (?<Group-Name>)

You can name a captured group with regex.

Example
String: Test Regex the Value is 100%.
You want the only value captured with the Group-Name of "Value"

Regex-Definition

(?:[a-zA-Z|\s]+)(?<Value>[0-9]+)(?:\%\.)


Splunk Regex document from SplunkConf 2017: Datei:Regex-in-your-spl.pdf (Source = https://conf.splunk.com/files/2017/slides/regex-in-your-spl.pdf)