I need to extract both of the words, is there anyone that knows how ? I have used this
(?i)summary : (?P<FIELDNAME>[\w\.]+)
but it extracts only the word Mostly.
summary : Mostly Cloudy
I tried this expression and it work. Btw thanks for your help ! 😃
(?i)Summary : (?P
I tried this expression and it work. Btw thanks for your help ! 😃
(?i)Summary : (?P
(?<field_name>\S+)\s+:\s+(?<field_value>.+)
Be careful about the cases of 's', because '\s' has a different meaning than '\S'.
see my comments down, I cannot post codes in here.
Well thats quite a different usecase, thanI would have guessed from your initial question. I updated my answer to extract the field_name ("summary") and the field_value ("Mostly Cloudy") seperatly.
But maybe you also want to take a look at handling multiline events.
I am using 5.0.2. Btw it worked but my data is inputed this way(below), it extracts this
FIELDNAME
Mostly Cloudy
temperature
Foggy
temperature
lastword
temperature
(Splunk reads my data every 5 minutes)
time : 1371715104
visibility : 0.67
windBearing : 260
windSpeed : 9.41
psiAverage : 182
cloudCover : 0.61
dewPoint : 65.58
humidity : 0.39
icon : fog
ozone : 267.04
precipIntensity : 0
pressure : 1005.64
summary : Foggy
temperature : 94.49
Now I changed it, so the inner caption group is named as well, even if it is not needed on my test instance (5.0.1).
kailun, which splunk version do you use?
Invalid regex: no named extraction at position 27 (i.e., ">([\w.]+..."). Expected "(?P
The questionmark in the inner caption group was producing a problem, I edited my answer to my tested solution.