Solved: Regex sanity check - fixed record length field ext...

himynamesdave · ‎06-02-2015

Guys, I have a horrible dataset in Splunk and am trying to match fields based on a position in event.

As an example, I need to extract a field which is found in the 201st and 202nd position of the event. I tried the following extraction (with some iteration) which fails.

| rex (.){200}(?P<FIELD>.{2})

What should it look like?

Thanks!

richgalloway · ‎06-02-2015

Remove the parentheses from around the first dot and it should work. Of course, the whole regex string must be quoted.

 | rex ".{200}(?P<FIELD>.{2})" | ...

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-02-2015

Remove the parentheses from around the first dot and it should work. Of course, the whole regex string must be quoted.

 | rex ".{200}(?P<FIELD>.{2})" | ...

---
If this reply helps you, Karma would be appreciated.

jacobwilkins · ‎06-02-2015

Also, anchor it.

| rex "^.{200}(?P<FIELD>.{2})"

himynamesdave · ‎06-03-2015

Thanks guys!

Regex sanity check - fixed record length field extraction

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life