wether or is possible inside a regex

Question

hi,

A1.abc-ab.1000.11111
A1.ab.1000.11111

This is the format of data what iam trying to extract using regex.Since both the datas are values of same instance i want to exctract these both values using 1 regex so as to compare it with other values

... | rex field=_raw "(?<value>(\w\d\.\w+\-\w+\.\d{4}\-\d{8})|(\w\d\.\w+\.\d{4}\.d{7}))"| table value

this is what i have tried but it is fetching only the data matching with the first bracket ie A1.abc-ab.1000.11111 .Please help

Answer 1

0

There are a couple of errors in your regex, and you're probably making it too complicated. \w also matches digits, and you're missing the backslash for the last \d. Using character classes ([]) simplifies a lot.

rex field=_raw "\s(?<value>[\w]+\.[\w-]+\.\d+\.\d+)\s"

should do it. Note that this may also capture other stuff in your log. Please post some a couple of log events to get better answers.

Hope this helps,

Kristian

link

answered 09 May '12, 03:36

kristian.kolb
9.8k●6●15
accept rate: 33%

edited 09 May '12, 03:43

updated. /k

(09 May '12, 03:43) kristian.kolb

wether or is possible inside a regex

Follow this question

Splunk Resources

Related questions