Splunk-Regex: Unterschied zwischen den Versionen
Aus Wiki-WebPerfect
Admin (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „== Replace function == == Replace with a regex capture== ''This regex in the replace function generates a new field "NewField" with the value of the first rege…“) |
Admin (Diskussion | Beiträge) |
||
| Zeile 1: | Zeile 1: | ||
| − | == Replace | + | [[Datei:Regular-expression.gif|right]] |
| + | |||
| + | == Replace== | ||
== Replace with a regex capture== | == Replace with a regex capture== | ||
''This regex in the replace function generates a new field "NewField" with the value of the first regex capture of the old field "OldField"'' | ''This regex in the replace function generates a new field "NewField" with the value of the first regex capture of the old field "OldField"'' | ||
Version vom 16. Mai 2019, 14:26 Uhr
Replace
Replace with a regex capture
This regex in the replace function generates a new field "NewField" with the value of the first regex capture of the old field "OldField"
| eval NewField=replace(OldField, "(?:SCVMM )?([A-Za-z0-9\-]+)(?: Resources( ?:\(1\))?)?", "\1")
Explanation Replacing "(?:SCVMM )?([A-Za-z0-9\-]+)(?: Resources( ?:\(1\))?)?"
- Group 1:
- "?:" = don't capture this group
- "SCVMM " = match this string
- "?" = this group 0 or 1 times
- Group 2:
- "[A-Za-z0-9\-]" = letters in upper- and lowercase or/and numbers or/and the special character "-"
- "+" = match as many times as possible
- "[A-Za-z0-9\-]" = letters in upper- and lowercase or/and numbers or/and the special character "-"
- Group 3:
- "?:" = don't capture this group
- " Resources" = match this string
- Group 4:
- "?:" = don't capture this group
- "\(" = escape "("
- "1" = match the number "1"
- "\)" = escape ")"
- "?" = this group 0 or 1 times
- Group 4:
- "?" = this group "group 3" 0 or 1 times
Replace that with "\1" = group 1
