0

I want to filter the following word APPLE from this string: 

"[BANANA => APPLE]"

I tried to do that with the RegEx (?<=\> ).+?(?=]) but that doesn't solve my problem.

EDIT: I am trying this in Grok Debugger. %{TO:client}.

TO (?<=\> ).+?(?=])

but displaying to me no matches.

Improve this question
2
  • How does this not work? Commented Aug 19, 2018 at 18:19
  • Try =>\s*(?<client>[^\]]+) Commented Aug 19, 2018 at 19:11

2 Answers 2

Reset to default
1

Grok uses an Oniguruma regex engine, and fields are usually created with the help of named groups:

you can use the Oniguruma syntax for named capture which will let you match a piece of text and save it as a field

You should use a named capturing group with a pattern like

=>\s*(?<client>[^\]]+)

It will match =>, 0+ whitespaces, and then will capture into Group "client" (the client field will then get created) one or more chars other than ].

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I really liked your answer, Wiktor!
I have another question: How do I filter "Apple" From: [07/08/2018 | 16:40:05] | [Apple -> Orange]
0

Is that what you're looking for? Just matching everything between => and ]

=> (.+?)\]

Your word will be in the first group. Of course there is still space to improve it with lookaheads etc.

I recommend to use https://regex101.com/ to debug and verify your regexps.

Improve this answer

2 Comments

I cant handle groups in the Grok Debugger I think.
Ran, if your tool doesn't support groups that it DEFINITIVELY doesn't support lookarounds and more advanced regexp stuff. Then preprocess your text in Python\JS script before you pass the data to your tool.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.