It seems that there is no way to extract fields with a '.' in the name.
I'm trying to use field extractors on our older data to create fields matching the newer data json fields.
{ "pirate": { "say ": "Shiver me timbers" } } pirate.say = "Shiver me timbers"
To test this you can to do is something like this:
| metadata type=hosts index=_internal | head 1 | eval message="Shiver me timbers, goes the pirate" | table message | rex field=message "(?<pirate.say>[^,]+)"
But all I get for my efforts is the same error message in both the 'rex' prototype described above and 'Field extractions' page.
From the 'rex' prototype I get:
Error in 'rex' command: Encountered the following error while compiling the regex '(?<pirate.say>[^,]+)': Regex: syntax error in subpattern name (missing terminator)
From the 'Fields » Field extractions » Add new' I get:
Encountered the following error while trying to save: Regex: syntax error in subpattern name (missing terminator)
So any thoughts on how I can solve this one?
PCRE regular expressions do not permit a period in capture group names by the definition of the names. If you want to separate the words, you must use an underscore. Therefore you could use pirate_say
, but not pirate.say
or even pirate-say
. You may only use A-Z
, a-z
, 0-9
and _
in capture group names.
PCRE regular expressions do not permit a period in capture group names by the definition of the names. If you want to separate the words, you must use an underscore. Therefore you could use pirate_say
, but not pirate.say
or even pirate-say
. You may only use A-Z
, a-z
, 0-9
and _
in capture group names.
Yes, I suspected as much.
Was hoping that there was a workaround for Splunk as they support field names with other characters.
The workaround I'm currently using is renaming pirate_say to pirate.say if pirate.say does not already exists.
Hi throstur,
beware that the search command
| rex field=message "(?<pirate_say>[^,]+)"
when is in a dashboard must be traslated in
| rex field=message "(?<pirate_say>[^,]+)"
you missed ;
in <
and >
Bye.
Giuseppe
Thanks. 😄
Fixed it now
if this solution answers to your question, please accept ot upvote it.
Bye.
Giuseppe
No this does'nt answer my question at all.