- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Generated pattern (regex)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to extract both of the words, is there anyone that knows how ? I have used this
(?i)summary : (?P<FIELDNAME>[\w\.]+)
but it extracts only the word Mostly.
summary : Mostly Cloudy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this expression and it work. Btw thanks for your help ! 😃
(?i)Summary : (?P
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this expression and it work. Btw thanks for your help ! 😃
(?i)Summary : (?P
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(?<field_name>\S+)\s+:\s+(?<field_value>.+)
Be careful about the cases of 's', because '\s' has a different meaning than '\S'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
see my comments down, I cannot post codes in here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well thats quite a different usecase, thanI would have guessed from your initial question. I updated my answer to extract the field_name ("summary") and the field_value ("Mostly Cloudy") seperatly.
But maybe you also want to take a look at handling multiline events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using 5.0.2. Btw it worked but my data is inputed this way(below), it extracts this
FIELDNAME
Mostly Cloudy
temperature
Foggy
temperature
lastword
temperature
(Splunk reads my data every 5 minutes)
time : 1371715104
visibility : 0.67
windBearing : 260
windSpeed : 9.41
psiAverage : 182
cloudCover : 0.61
dewPoint : 65.58
humidity : 0.39
icon : fog
ozone : 267.04
precipIntensity : 0
pressure : 1005.64
summary : Foggy
temperature : 94.49
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now I changed it, so the inner caption group is named as well, even if it is not needed on my test instance (5.0.1).
kailun, which splunk version do you use?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Invalid regex: no named extraction at position 27 (i.e., ">([\w.]+..."). Expected "(?P
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The questionmark in the inner caption group was producing a problem, I edited my answer to my tested solution.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
