Splunk Enterprise

Unable to extract unicode charecter from indexed data after applying regex in props.conf

soumyacharya91
Path Finder

Hi,

I am applying a regex to extract values from a string which carries unicode charecters. The strange thing is when I try to apply the regex from my SH it is working fine. But when the same has been applied using props file the result is populating with its hex value. Like if my string contains “O with stroke” I am getting the result as \u00f8 in my search for that character when using field extraction from props.conf. Any help will be highly appreciated.

Thanks,

Tags (1)
0 Karma

mayurr98
Super Champion

Try this run anywhere search

| makeresults 
| eval _raw="user Kim Søby Nielsen from" 
| rex field=_raw "user\s(?<name>.+?(?=\sfrom))"

To automate it,
go to Fields » Field extractions » Add new
Extraction/transforms:
user\s(?<name>.+?(?=\sfrom))

let me know if this helps!

0 Karma

soumyacharya91
Path Finder

No it's not working. Tested and getting the hex value as before. Kim S\u00f8by Nielsen
Updated file in props.conf as EXTRACT-user_role=user\s(?.+?(?=\sfrom))

0 Karma

p_gurav
Champion

Can you tell me what settings you are using in props.conf?

0 Karma

soumyacharya91
Path Finder

Hi Gurav,

The data on which I want to apply the regex is like user Kim Søby Nielsen from.

The expression i'm using in my search heads props.conf is EXTRACT-user_role=user (?.+?) from

The result I'm getting is Kim S\u00f8by Nielsen and the expected result should be like Kim Søby Nielsen which is population if I'm executing the query at the time of search. Query using at search time is rex field=Display "user (?.+?) from"

Thanks

0 Karma

p_gurav
Champion

Can you try using splunk's in-build "Field Extractor".

0 Karma

soumyacharya91
Path Finder

I have already tried that. But it is not working. Still same result.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...