-1

I have a line containing 

[India,sn_GB] Welcome : { Name:{Customer1},Place:{Mumbai},}

I want to print the entire line after sn_GB] in splunk, which is 

Welcome : { Name:{Customer1},Place:{Mumbai},}

I used the below regular expression: 

(?<=sn_).*?$

But it prints, along with GB] like GB] Welcome : { Name:{Customer1},Place:{Mumbai},}. In the word sn_GB, sn_ is constant and the rest two letter will vary, like GB, LB, KB, TB as such.

Please help me in correcting the regular expression.

Thanks

Wiktor Stribiżew
  • 607,720
  • 39
  • 448
  • 563
Chinchan
  • 19
  • 1
  • 11
  • Sorry, I missed out, in the word, sn_GB , sn_ is constant and the rest two letter will vary , like GB, LB, KB, TB as such . How should I include sn_(wildcard)] in the regex ?! – Chinchan Jul 05 '18 at 06:35

2 Answers2

0

I understand your question now. Country codes are always 2 letters. i'd use

(?<=sn_..\]\ ).*$

but you could use (?<=sn_[A-Z]{0,5}\]\ \s*).*?$

(?<=sn_....).*$

is the simplest, as it will just grab 4 characters after, if it's always 2 letters for country code, and then a closing bracket and a space

Robert Cotterman
  • 2,213
  • 2
  • 10
  • 19
0

This will give the correct result in case sn_GB is constant. 

(?<=sn_GB).*?$

If GB is not constant you can go for:

(?<=sn_...).*?$
Ashu
  • 2,066
  • 3
  • 19
  • 33