So it can be seen that a group called “Name” field has been created for the paranthesis in which the character are enclosed. So we can categorize the above groups in the field called as Name by using the above expression In such case you can always capture a group by naming it using the expression ? immediately after opening the parenthesis.Īs you can see in the above example abc,pqr and xyz are the groups been created. When the expression is complex and there are too many parenthesis in the expression it becomes difficult to keep the track.
Here you can observe from the above example, Group 1 is created for the characters which we put in those parenthesis The open and close parenthesis () in a regular expression always matches a group of characters In splunk it plays a vital role because if you want to extract a new field, you need to create a named group. Groups play an important role in regular expression. It can be seen that it matches the previous token between 1 and 2 times to as many times as possible in the given string. (4) : It matches from n to m times with the previous characters in the regular expression. Here with the above quantifier (?) when placed after the token matches between one and unlimited times, as few times as possible, expanding as needed thus giving us lazy match. Here it matches the previous token(splunk) between 0 and 1 times, as many times as possible thus giving us greedy match. Appending the (?) character to a quantifier makes it lazy, it causes the regular expression engine to match as few occurrences as possible The character (*) and (+) specified above causes the regular expressions engine to match as many occurrences. (3) ? : This character matches exactly 0 or 1 occurrence of the previous character when specified in the regular expression (2) + : This character when used matches 1 or more of the previous character when used in the regular expressionįrom the above eg it can be seen that it matches with splunk, splunk+ but not with splun as given in the test string. (1) * : The character matches 0,1 or more of the previous character which are specifiedĪs you can see in the above example ( i* ) matches every i character in the test string when provided with the quantifier (*) The following are the important quantifiers which are essential are discussed The quantifiers in regular expressions specifies how many instances of a character, group, or character class must be present in the input for a match to be found. (3) \ : Also known as Escape character -It is used to escape any special character that may be used in string It can be always used as a wildcard characterĪs you can see in the above example by providing the ‘.’ it matches the entire test stringĪb : It matches the string provided such as ab or any other string which required to be matched for egĪs you can see the string ar provided in the above expression matches in the test stringĪ|b : It matches any or both of the above character when it is found in the string : It matches any character except a new line. Some of the basic commands to match the regular expression are expressed here
We will discuss the common regular expression which can be used to filter out data Here we are using Regular expressions 101 to test our regular expression In splunk it is basically used for 3 different purposesġ) To extract a new field or create a new fieldĢ) It can be used to filter out different events based on regular expression The basic concept behind regular expression is to find a pattern from the text we have. It is basically a pattern matching programming language. Splunk supports PCRE(Perl compatible regular expression). In this blog we are going to explain the basic operators of regular expressions.