Hello Splunkers,
My problem is nearly similar to this one, only not spaces.
https://answers.splunk.com/answers/369822/how-do-i-handle-fields-with-no-value-or-a-blank-sp.html
Raw Data:
12345 12345;|;0;|;;|;2017-04-17 21:59:11.000000;|;2017-04-17 21:59:11.000844;|;A;|;A;|;;|;N;|;6789;|;6789;|;R;|;R;|;RM;|;A;|;10;|;A;|;A;|;
My Rex Query:
| rex "^(?<field1>[^;]+);\|;(?<field2>[^;]+);\|;(?<field3>[^;]+);\|;(?<field4>[^;]+);\|;(?<field5>[^;]+);\|;(?<field6>[^;]+);\|;(?<field7>[^;]+);\|;(?<field8>[^;]+);\|;"
My problem here is the field3 and field8 which is basically nothing. A delimiter next to a delimiter. How can I capture nothing and replace it with something?
Much appreciated!
A greedy match like below might do the trick.
| rex "^(?P<field1>[^\;]+)\;\|\;(?P<field2>[^\;]*)\;\|\;(?P<field3>[^\;]*)\;\|\;(?P<field4>[^\;]*)\;\|\;(?P<field5>[^\;]*)\;\|\;(?P<field6>[^\;]*)\;\|\;(?P<field7>[^\;]*)\;\|\;(?P<field8>[^\;]*)\;\|\;(?P<field9>[^\;]*)\;\|\;(?P<field10>[^\;]*)\;\|\;"
A greedy match like below might do the trick.
| rex "^(?P<field1>[^\;]+)\;\|\;(?P<field2>[^\;]*)\;\|\;(?P<field3>[^\;]*)\;\|\;(?P<field4>[^\;]*)\;\|\;(?P<field5>[^\;]*)\;\|\;(?P<field6>[^\;]*)\;\|\;(?P<field7>[^\;]*)\;\|\;(?P<field8>[^\;]*)\;\|\;(?P<field9>[^\;]*)\;\|\;(?P<field10>[^\;]*)\;\|\;"
Greedy approach
shall work, but please be aware of pitfalls of being greedy which is discussed in this thread:
https://answers.splunk.com/answers/489539/bug-in-rex-command-not-working-if-the-raw-data-has.html
More on why this happens due to catastrophic backtracking
here:
https://answers.splunk.com/answers/489539/bug-in-rex-command-not-working-if-the-raw-data-has.html#co...
worked like a charm! thankss