Splunk Search

space in my field with the field I extracted with a regex

Carolina
Engager

Hi,
Use a regex to extract some fields from my log with the regex101.com tool. but when I do the search for the mix field for example
index=search sourcetype=datos.log mix=818 does not show me results
but if I add an asterisk to the search index=search sourcetype=datos.log mix=*818 shows me results
My regex is the following:

(?<hora>[0-9]{8})+\s{1}+(?<mix>\d{3})(?<resp>[I|O])

these are some lines of my log

09523744 865O F010@@@@Y1905A46100000002     00000000151100157600STD20001
         865O 030202040005 1029  003047100000000012602                  
         865O   00000000000000000000000000000000000000000000517712002534
         865O 4898   

Could you help me please?

Regards.

0 Karma
1 Solution

micahkemp
Champion

This is due to mix being a partial token (like part of a whole word). See slide 29 of this presentation by Martin Mueller: https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf.

To illustrate, try index=search sourcetype=datos.log | search mix=818.

View solution in original post

micahkemp
Champion

This is due to mix being a partial token (like part of a whole word). See slide 29 of this presentation by Martin Mueller: https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf.

To illustrate, try index=search sourcetype=datos.log | search mix=818.

niketn
Legend

@Carolina, I think your reg ex is working fine your data seem be for 865 while you search mentions 818. However, I expect pattern remains the same for both. If you notice the regular expression for getting mix field is a combination of three digits (i.e. (?<mix>\d{3}) ) which is expected.

Can you try the following search?

index=search sourcetype=datos.log *818*
| search mix=818

Also you may change to the following regex but it is does the same thing as yours: (?<hora>[0-9]{8})\s(?<mix>\d{3})(?<resp>[I|O]). You can test out regular expression on regex101.com. I have added the regular expression and sample data as per the question (this will also help you understand how your regular expression is working).

https://regex101.com/r/t4uLzQ/1

If it still does not work, test out with mix=865 for which you have provided data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Carolina
Engager

@niketnilay, I already try the search and I have the same problem
but if I give a stats count index=search sourcetype=datos.log mix=* it shows me the mix however when I click on view event it does not show me results

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...