Comments on: Advanced Regular Expressions: Some Tools and an Example http://www.laneolson.ca/2010/02/09/advanced-regular-expressions-some-tools-and-an-example/ Thu, 06 Jan 2011 20:30:32 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Adam http://www.laneolson.ca/2010/02/09/advanced-regular-expressions-some-tools-and-an-example/comment-page-1/#comment-2618 Adam Tue, 15 Jun 2010 08:34:57 +0000 http://www.laneolson.ca/?p=151#comment-2618 Thank you so much for this post, i digg the way you explain stuff, before regex was a mystery to me! Looking forward to see more tutorials from you! Thank you so much for this post, i digg the way you explain stuff, before regex was a mystery to me! Looking forward to see more tutorials from you!

]]> By: Lane http://www.laneolson.ca/2010/02/09/advanced-regular-expressions-some-tools-and-an-example/comment-page-1/#comment-1788 Lane Wed, 10 Feb 2010 15:34:45 +0000 http://www.laneolson.ca/?p=151#comment-1788 Hi David, I did use the field extractor in Splunk 3, but haven't tried it in Splunk 4 yet. In Splunk 3 it was easier for me to just write the regex because there were instances where I couldn't get it to pick up a specific value in my Windows 2008 events. I'll have to try it out and version 4, it will be nice if I can manually modify and test the regex it generates. I agree that the regex in my example is somewhat difficult. I need it to capture IP addresses and ignore prefixes (like www and subdomain names) but still capture domain suffixes (like .com and .ab.ca) so that is where most of the complexity comes in. I'm positive there are other, more simplified, regexes that will do the same job. As the old saying goes... there's more than one way to skin a cat. ;) Thanks for the tip! I'm going to go check out the field extractor. Hi David,

I did use the field extractor in Splunk 3, but haven’t tried it in Splunk 4 yet. In Splunk 3 it was easier for me to just write the regex because there were instances where I couldn’t get it to pick up a specific value in my Windows 2008 events. I’ll have to try it out and version 4, it will be nice if I can manually modify and test the regex it generates. I agree that the regex in my example is somewhat difficult. I need it to capture IP addresses and ignore prefixes (like www and subdomain names) but still capture domain suffixes (like .com and .ab.ca) so that is where most of the complexity comes in. I’m positive there are other, more simplified, regexes that will do the same job. As the old saying goes… there’s more than one way to skin a cat. ;)

Thanks for the tip! I’m going to go check out the field extractor.

]]> By: David http://www.laneolson.ca/2010/02/09/advanced-regular-expressions-some-tools-and-an-example/comment-page-1/#comment-1787 David Wed, 10 Feb 2010 15:18:04 +0000 http://www.laneolson.ca/?p=151#comment-1787 Have you tried the interactive field extractor in Splunk. You give it examples of values you want to extract and it generates the regex. It works for a lot of common regex cases and you can provide counter examples when it gets things wrong. In your example, which is somewhat difficult, it didn't go a great job -- (?i)/www\.(?[^\.]*)(?=\.) But that same tool allows you to edit the regex right there and fix it up, so you can see how it extracted in your data on hundreds of examples, or tens of thousands if you hit the 'test' button. Have you tried the interactive field extractor in Splunk. You give it examples of values you want to extract and it generates the regex. It works for a lot of common regex cases and you can provide counter examples when it gets things wrong. In your example, which is somewhat difficult, it didn’t go a great job — (?i)/www\.(?[^\.]*)(?=\.)

But that same tool allows you to edit the regex right there and fix it up, so you can see how it extracted in your data on hundreds of examples, or tens of thousands if you hit the ‘test’ button.

]]>