Splunk-Regex: Unterschied zwischen den Versionen

Aus Wiki-WebPerfect
Wechseln zu: Navigation, Suche
K
(2 dazwischenliegende Versionen des gleichen Benutzers werden nicht angezeigt)
Zeile 30: Zeile 30:
  
  
 +
== Named capturing group (?<Group-Name>) ==
 +
You can name a captured group with regex.
 +
 +
'''Example'''<br>
 +
String: ''Test Regex the Value is 100%.'' <br>
 +
You want the only value captured with the Group-Name of "Value"<br>
 +
 +
'''Regex-Definition'''
 +
(?:[a-zA-Z|\s]+)(?<Value>[0-9]+)(?:\%\.)
  
  

Version vom 11. Juni 2019, 11:48 Uhr

Regular-expression.gif

Replace

Replace with a regex capture

This regex in the replace function generates a new field "NewField" with the value of the first regex capture of the old field "OldField"

| eval NewField=replace(OldField, "(?:SCVMM )?([A-Za-z0-9\-]+)(?: Resources( ?:\(1\))?)?", "\1")

Explanation Replacing "(?:SCVMM )?([A-Za-z0-9\-]+)(?: Resources( ?:\(1\))?)?"

  • Group 1:
    • "?:" = don't capture this group
    • "SCVMM " = match this string
      • "?" = this group 0 or 1 times
  • Group 2:
    • "[A-Za-z0-9\-]" = match upper and lower case A-Z or/and numbers from 0-9 or/and special character "-" escaped with "\"
      • "+" = match as many times as possible
  • Group 3:
    • "?:" = don't capture this group
    • " Resources" = match this string
      • Group 4:
        • "?:" = don't capture this group
        • "\(" = escape "("
        • "1" = match the number "1"
        • "\)" = escape ")"
          • "?" = this group 0 or 1 times
    • "?" = this group "group 3" 0 or 1 times

Replace that with "\1" = group 1


Named capturing group (?<Group-Name>)

You can name a captured group with regex.

Example
String: Test Regex the Value is 100%.
You want the only value captured with the Group-Name of "Value"

Regex-Definition

(?:[a-zA-Z|\s]+)(?<Value>[0-9]+)(?:\%\.)