Splunk Search

Field Extractor Regex bombs on slash

Sageth
New Member

Hi All -

I have some data as follows in a fixed length log file.

13170182  1108                                  ABC1D234/EFG56789 I N R SNET0031        0 BPGTCPI1/3712  TCPIP session closed by ABC12D34 from: 10.20.30.40/56927
13170183  1108                                  ABC1D2  /EFG56789 I N R SNET0031        0 BPGTC   /3712  TCPIP session closed by ABC12D34 from: 10.20.30.40/56927

I'm trying to use the field extractor, but for some reason, it bombs out and stops working after the first slash and I've been unable to work around it. This regex works:

(?P<FIELDNAME1>\d{8})\s+(?P<FIELDNAME2>\d{4})\s+(?P<FIELDNAME3>[\w\s]{32})\s+(?P<FIELDNAME4>[\w\s]{8})\/

But as soon as I add the fifth field, there is no data sample returned from the extractor. The regex below doesn't work, but doesn't give me an error. I've tried a few variations, including adding the slash as its own separator field with a {1}, and also trying to do a fieldname4 with {9} (which works), but as soon as I try to get the next character, it stops working again. Like so:

(?P<FIELDNAME1>\d{8})\s+(?P<FIELDNAME2>\d{4})\s+(?P<FIELDNAME3>[\w\s]{32})\s+(?P<FIELDNAME4>[\w\s]{8})\/(?P<FIELDNAME5>[\w\s]{8})/s+

Any ideas on what I'm missing? Is there are character limit I'm hitting against?

0 Karma
1 Solution

aholzer
Motivator

You have the wrong "slash" on the last "/s+". it should be a backslash: \s+

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Your second regex string does not escape the last slash. Are you sure you have the field widths correct? When I add them up, field5 does not end with a slash.

---
If this reply helps you, Karma would be appreciated.
0 Karma

aholzer
Motivator

You have the wrong "slash" on the last "/s+". it should be a backslash: \s+

Sageth
New Member

Holy dumb. I spent 3 hours on that and never realized. It works. Thank you!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...