Splunk Search

Why am I getting different results for this field extraction?

daniel333
Builder

All,

When I search and use rex I get the ports from the Apache logs as expected. Getting all ports 80 and 443 and 8080.
index=web 443 | rex field=_raw "^\d+.\d+.\d+.\d+ - (?\d+) ["

How ever, when I place the same extraction in props.conf it only gets port 80
[apache:access]
EXTRACT-port = ^\d+.\d+.\d+.\d+ - (?\d+) [

Any idea where my mistake is?

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Try:

EXTRACT-port = ^\d+\.\d+\.\d+\.\d+ - (?P<port>\d+) \[
0 Karma

skoelpin
SplunkTrust
SplunkTrust

The field is relative to the sourcetype you specify. Try explicitly including the sourcetype you defined in your props.conf in your search and see if you get the same results

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Your regexes look wrong to me.

Remember a period matches ANYTHING. If you mean only a . character, then you need to escape it.

so, for instance, matching this regex up with the IP that follows it...

 ^\d+.\d+.\d+.\d

 123.123.33.12

...means that the first \d+ matches the 1, the . matches the 2, the second \d+ matches the 3, the second . matches the first ., and so on.

Escape all those periods and try your test again.

0 Karma

niketn
Legend

@daniel333, Can you post your code with code button 101010 on Splunk Answers so that special characters do not escape?

Also can you add few mocked up sample events with different port numbers?

Ideally if rex is working in search, then same regular expression should also fetch when saved as Field Extraction (?<port>\d+).

Can you try Interactive Field Extraction in Splunk with your regular expression and see if you have Non Matches, or maybe let Splunk generate the regular expression, by adding non-matches.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...