Refine your search:

Why doesn't this regex work?

0

Let's say I have these 2 events in my index:

04-06 15:56:03 This is another log line of text 654321
04-06 15:55:03 This is a log line of text 123456

I can simply enter index="test" log on the search bar and will see both events return, however, if I enter index="test" regex="log" in the search bar, it returns 0 events. This regex is valid PCRE. Entering index="test" regex=".*log.*" doesn't return any results either.

asked 06 Apr '11, 18:53

ccannon1's gravatar image

ccannon1
111
accept rate: 0%

One Answer:
oldestnewestmost voted
3

With regex="log" you're actually performing a field search on the field regex. You probably want to use the regex command instead.

index=test | regex _raw="log"
link

answered 06 Apr '11, 19:06

ziegfried's gravatar image

ziegfried ♦
10.1k1618
accept rate: 52%

1

Or, when you just need basic wildcard matches, you can skip the regex processing altogether and use "log" instead of the regex "log."

(08 Apr '11, 04:02) southeringtonp ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×462

Asked: 06 Apr '11, 18:53

Seen: 1,107 times

Last updated: 06 Apr '11, 19:06

Related questions

Regex matching in search when it doesn't in regex creator

Invalid regex when using `|`

Search Issues with regex field1= "..." | regex field1="..."

v4.1.4 REGEX works.....v4.3.2 Doesn't

Why do I get different Search Behavior depending on fields.conf?

Search-time extraction works, new field extraction doesn't

regex to match everything between the 25th and 130th characters in a line

Regular expression help and error (Regex: unmatched parentheses )

Trim field for operations

Copyright © 2005-2012 Splunk Inc. All rights reserved.