- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- space in my field with the field I extracted with ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Use a regex to extract some fields from my log with the regex101.com tool. but when I do the search for the mix field for example
index=search sourcetype=datos.log mix=818 does not show me results
but if I add an asterisk to the search index=search sourcetype=datos.log mix=*818 shows me results
My regex is the following:
(?<hora>[0-9]{8})+\s{1}+(?<mix>\d{3})(?<resp>[I|O])
these are some lines of my log
09523744 865O F010@@@@Y1905A46100000002 00000000151100157600STD20001
865O 030202040005 1029 003047100000000012602
865O 00000000000000000000000000000000000000000000517712002534
865O 4898
Could you help me please?
Regards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is due to mix being a partial token (like part of a whole word). See slide 29 of this presentation by Martin Mueller: https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf.
To illustrate, try index=search sourcetype=datos.log | search mix=818.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is due to mix being a partial token (like part of a whole word). See slide 29 of this presentation by Martin Mueller: https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf.
To illustrate, try index=search sourcetype=datos.log | search mix=818.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Carolina, I think your reg ex is working fine your data seem be for 865 while you search mentions 818. However, I expect pattern remains the same for both. If you notice the regular expression for getting mix field is a combination of three digits (i.e. (?<mix>\d{3}) ) which is expected.
Can you try the following search?
index=search sourcetype=datos.log *818*
| search mix=818
Also you may change to the following regex but it is does the same thing as yours: (?<hora>[0-9]{8})\s(?<mix>\d{3})(?<resp>[I|O]). You can test out regular expression on regex101.com. I have added the regular expression and sample data as per the question (this will also help you understand how your regular expression is working).
https://regex101.com/r/t4uLzQ/1
If it still does not work, test out with mix=865 for which you have provided data.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay, I already try the search and I have the same problem
but if I give a stats count index=search sourcetype=datos.log mix=* it shows me the mix however when I click on view event it does not show me results
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
New in Observability Cloud - Explicit Bucket Histograms
