Solved: Regex remove quotes from log file field

mplungjan · ‎09-10-2013

Hi, I have a transform like this - it works fine except when I need to look up a field

[specialLogFile]
REGEX = ^([0-9\.]+) ([0-9\-]*) ([0-9\-]*) (\[[^\]]+\]) ("[^"]+") ([0-9\-]+) ([0-9\-]+) ("[^"]+") ("[^"]+") ([0-9\-]+) ("[^"]+") ([0-9\.]+)
FORMAT = client_ip::$1 user::$2 profile::$3 timestamp::$4 url::$5 http_status::$6 bytes::$7 referer::$8 user_agent::$9 processing_time_ms::$10 userNumber::$11 other_ip::$12

the matching log file entry would be

111.222.333.444 - - [24/Apr/2013:15:47:11 +0200] "GET /somerequest HTTP/1.1" 200 18356 "-" "some quoted useragent" 123 "4418" 222.333.444.555

My problem is when I want to use a look-up table with a userNumber, the CSV is converted by Splunk into a number, regardless of quotes in the CSV or not.

Can you please help me change ("[^"]+") to whatever it takes to become a non-quoted number so I can have a CSV with

userNumber email username
4418, someone@somewhere.com,Fred

and be able to match the userNumber from CSV to the extracted log file field at search time

Thanks

kristian_kolb · ‎09-10-2013

Could you not just put the quotation marks outside the capture group? Skipping the first 10 fields in the example below.

REGEX= ... "([^"]+)" ([0-9.]+)

/K

View solution in original post

kristian_kolb · ‎09-10-2013

Could you not just put the quotation marks outside the capture group? Skipping the first 10 fields in the example below.

REGEX= ... "([^"]+)" ([0-9.]+)

/K

mplungjan · ‎09-11-2013

Thanks, that was it.

Regex remove quotes from log file field

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life