Regular Expressions 101

Community Patterns

Splunk log regex

1

Regular Expression
PCRE2 (PHP >=7.3)

/
ugi=(?<ugi>[\w]+)\sip=(?<ip>[\S]+)\scmd=(?<cmd>[\S]+)\s(?<method>[\S]+)[\s]?:\s(?<details>[\S]+)
/
gm

Description

regex to parse space separated log message from splunk

test string

ugi=flink ip=172.18.214.55 cmd=source:172.18.214.55 alter_table: hive.net_seed.netdebugnetworkconnectionstatereadysnapshotcapturedevent newtbl=netdebugnetworkconnectionstatereadysnapshotcapturedevent
ugi=root ip=172.19.212.146 cmd=source:172.19.212.146 get_table : tbl=hive.nlx_dev.marrsqueryrewritecontextevent	
Submitted by Steve Zhang - 2 years ago