Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field Extract returns different results than inline rex field

coshea
Engager
‎12-11-2014 08:52 AM

Using Splunk 6.2,

I have a few regex commands that return drastically different results when they are set up using field extractions vs inline seach commands. For example,

Example Log File:

20140915171053989759850769-27156-8.0.0  --Portfolio "MASTER LONG" --PeriodStartDate "January 1, 2014 12:00:00 am" --PeriodEndDate   "September 15, 2014 11:59:59 pm"

Search command (works correctly):

|rex field=_raw "\bPeriodStartDate.*\"(?<PeriodStart>.*)\"" 
|rex field=_raw "\bPeriodEndDate.*\"(?<PeriodEnd>.*)\""
|rex field=_raw "\bPortfolio.*\"(?<Portfolio>.*)\""

Field Extractions: 

\bPeriodEndDate.*\"(?.*)\" 
\bPeriodStartDate.*\"(?.*)\" 
\bPortfolio.*\"(?.*)\"

Could I be doing something wrong in the Field Extractions? I used the same regex in Splunk 6.0 with no issues. Any help would be appreciated!

0 Karma
Reply

landen99
Motivator
‎09-04-2015 05:51 AM

I observed that your solution (above) always captures the end date. Adding \s* as martin suggested does capture everything to the end as you noted. My solution captures exactly what you want efficiently:

-+PeriodEndDate\s+"(?<PeriodEnd>[^"]+)"
-+PeriodStartDate\s+"(?<PeriodStart>[^"]+)"
-+Portfolio\s+"(?<Portfolio>[^"]+)"
0 Karma
Reply

coshea
Engager
‎12-18-2014 12:25 PM

The missing field names inside the capture groups was a bit of a copy and paste error. Here is what I have now:

\bPeriodEndDate.*"(?<PeriodEnd>.*)" 
\bPeriodStartDate.*"(?<PeriodStart>.*)" 
\bPortfolio.*"(?<Portfolio>.*)"

I got rid of the escaped double quote but still can't get it working. If I use \s* it returns the whole log. But if I use .* it returns every event inside of the double quotes.

Thank you for the help

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎12-11-2014 02:31 PM

In rex \" is an escaped double quote, in the field extraction config it's a backslash followed by a double quote - there's no need to escape the double quote because it's not inside a double-quoted string. Additionally it seems your field extraction config is missing the field names inside the capturing groups.

Another unrelated thought, consider using \s* instead of .* to jump the gap between your string and the quoted field value, the .* greedily matches everything which can lead to unexpected results both in rex and field extraction config.

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...