Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me create the regex that captures a string with a space in it?

jip31
Motivator
‎11-26-2018 10:20 PM

Hello

I have a field with a space in the string :

Model=WDC WD5000LPLX-60ZNTT1

But SPLUNK displays only the characters WDC because of the space.

I need a regex please which displays WDC WD5000LPLX-60ZNTT1 (so with the space) but that will be readable by Splunk.

Thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MathiasLindblom
Path Finder
‎11-26-2018 11:13 PM

If we assume that whatever comes after Model= is fixed, eg:

Model=WDC WD5000LPLX-60ZNTT1 Test=XYZ

You could use a lookahead to "Test" like this:

    Model=(?P<Model>.*(?!Test))\s

Hope this could help, otherwise it would help with the entire event as mentioned before.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MathiasLindblom
Path Finder
‎11-26-2018 11:13 PM

If we assume that whatever comes after Model= is fixed, eg:

Model=WDC WD5000LPLX-60ZNTT1 Test=XYZ

You could use a lookahead to "Test" like this:

    Model=(?P<Model>.*(?!Test))\s

Hope this could help, otherwise it would help with the entire event as mentioned before.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎11-27-2018 12:44 AM

I done | rex field=Caption "(?P(?!Test))\s" but i have the message⚠ Error in 'rex' command: Encountered the following error while compiling the regex '(?P(?!Test))\s': Regex: unrecognized character after (?P

0 Karma
Reply
Solved! Jump to solution

MathiasLindblom
Path Finder
‎11-27-2018 01:32 AM

If the event is on one line, you can use this:

| rex field=_raw "Model=(?P<Model>.*?)\sName"
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎11-27-2018 01:42 AM

perfect thanks

0 Karma
Reply
Solved! Jump to solution

MathiasLindblom
Path Finder
‎11-27-2018 01:25 AM

Hi,

seems like I lost a few characters when posting. If the event are as you described above, where they are all on each line, this regex should work:

| rex field=_raw "Model=(?P<Model>[^\n]*)"
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-26-2018 10:28 PM

we need to see the entire event (preferably several of them).

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎11-27-2018 12:46 AM

here is an example of one event fields
20181121161210.530611
Caption=WDC WD5000LPLX-60ZNTT1
DeviceID=\.\PHYSICALDRIVE0
FirmwareRevision=02.01A02
Model=WDC WD5000LPLX-60ZNTT1
Name=\.\PHYSICALDRIVE0
Size=500105249280
Status=OK
wmi_type=DiskDrive

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...