Splunk-Regex: Unterschied zwischen den Versionen

Aus Wiki-WebPerfect
Wechseln zu: Navigation, Suche
K
Zeile 13: Zeile 13:
 
***"?" = this group 0 or 1 times
 
***"?" = this group 0 or 1 times
 
*Group 2:
 
*Group 2:
**"[A-Za-z0-9\-]" = match upper and lower case A-Z or/and numbers from 0-9 or/and special character "-"
+
**"[A-Za-z0-9\-]" = match upper and lower case A-Z or/and numbers from 0-9 or/and special character "-" escaped with "\"
 
***"+" = match as many times as possible
 
***"+" = match as many times as possible
 
*Group 3:
 
*Group 3:

Version vom 16. Mai 2019, 14:29 Uhr

Regular-expression.gif

Replace

Replace with a regex capture

This regex in the replace function generates a new field "NewField" with the value of the first regex capture of the old field "OldField"

| eval NewField=replace(OldField, "(?:SCVMM )?([A-Za-z0-9\-]+)(?: Resources( ?:\(1\))?)?", "\1")

Explanation Replacing "(?:SCVMM )?([A-Za-z0-9\-]+)(?: Resources( ?:\(1\))?)?"

  • Group 1:
    • "?:" = don't capture this group
    • "SCVMM " = match this string
      • "?" = this group 0 or 1 times
  • Group 2:
    • "[A-Za-z0-9\-]" = match upper and lower case A-Z or/and numbers from 0-9 or/and special character "-" escaped with "\"
      • "+" = match as many times as possible
  • Group 3:
    • "?:" = don't capture this group
    • " Resources" = match this string
      • Group 4:
        • "?:" = don't capture this group
        • "\(" = escape "("
        • "1" = match the number "1"
        • "\)" = escape ")"
          • "?" = this group 0 or 1 times
    • "?" = this group "group 3" 0 or 1 times

Replace that with "\1" = group 1