Solved: Matching Two Strings in Field Extraction

kederart · ‎01-11-2013

I am trying to match two separate strings for one field extraction. When setup separately they would look like...

(?i)^[^*#\d+\s+(?P< a >[^]+)

and

(?i)^(?:[^\-]*\i{2}\d+\s+(?P< b >[^]+)

I combined them by simply placing a pipe in between the two strings. The problem is Splunk will only pick up whichever value has a, and the b value will be lost. I can switch a and b and the values picked up will switch, but I cannot get the combination of both. I also cannot name both a as that is against Splunk conventions. Is this possible to accomplish? What am I missing here? Thanks.

jameshgibson · ‎01-11-2013

can you not change the regex to:

(?i)^([^*#]\d+\s+|(?:)[^\-]*\i{2}\d+\s+)(?P<a>[^]+)

this should match (?P<a>[^]+) when preceded by either (?i)^[^*#]\d+\s+ or (?i)^(?:)[^\-]*\i{2}\d+\s+

that is assuming you are missing a closing [ and ) in the expressions in your question.

View solution in original post

Ayn · ‎01-11-2013

Fair enough, but I think the easiest thing still would be to have multiple field extractions - you can still use the same field name for your extraction, it's just different ways of arriving at the extracted field. So you wouldn't have to mess with name1, name2 etc, you can just extract everything to name.

jameshgibson · ‎01-11-2013

can you not change the regex to:

(?i)^([^*#]\d+\s+|(?:)[^\-]*\i{2}\d+\s+)(?P<a>[^]+)

this should match (?P<a>[^]+) when preceded by either (?i)^[^*#]\d+\s+ or (?i)^(?:)[^\-]*\i{2}\d+\s+

that is assuming you are missing a closing [ and ) in the expressions in your question.

kederart · ‎01-11-2013

Sorry for the confusion. We want to search for a name (example a), however the name isn't always coming up as other names are being formatted in the second way (example b). We want a way to search for all the names without having multiple field extractions. I thought we could do that by piping the two searches together. We don't want to have name1, name2, name3 for field extractions because it's going to become cluttered and a little difficult to manage. Does that make more sense?

Ayn · ‎01-11-2013

I'm not sure I follow. Why would you need multiple searches to perform multiple field extractions? There are usually loads of field extractions taking place for each event in a search.

kederart · ‎01-11-2013

We have a dozen or so logs and we are doing multiple field extractions for each log. If we keep doing multiple field extraction for "a" then we are going to be cluttered with 6-10 searches per log. Our goal is to cut down on the clutter.

Ayn · ‎01-11-2013

Why not have two field extractions?

kederart · ‎01-11-2013

The only solution I've found so far is adding a second field extraction that both search on a. However, we have multiple logs and this could get cluttered when we start adding more searches. Would prefer to keep it as one search.

Matching Two Strings in Field Extraction

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...