https://community.splunk.com/t5/Getting-Data-In/Multicharacter-Event-Delimiter/m-p/294180#M55911 <P>All,</P> <P>I have data that looks like this</P> <P>event_timestamp | vendor_action | http_method | url | user_dn | src_ip | source | application | | protocol | field_11</P> <P>Yes, the delimiter is space, pipe, space. The problem is those rare events that have | in the url cause the original regex and delims to put information into the wrong field. I wrote this regex</P> <PRE><CODE>^(.*)\s\|\s(.*)\s\|\s(.*)\s\|\s(.*)\s\|\s(.*)\s\|\s(.*)\s\|\s(.*)\s\|\s(.*)\s\|\s\|\s(.*)\s\|\s(.*) </CODE></PRE> <P>and it shows things being extracted properly in the regex tool. When I put it into my laptop Splunk 6.5.2, it doesn’t process. Anyone have a solution for this problem?</P> <P>TIA<BR /> Joe</P> Tue, 29 Sep 2020 13:24:05 GMT jwhughes58 2020-09-29T13:24:05Z https://community.splunk.com/t5/Getting-Data-In/Multicharacter-Event-Delimiter/m-p/294180#M55911 <P>All,</P> <P>I have data that looks like this</P> <P>event_timestamp | vendor_action | http_method | url | user_dn | src_ip | source | application | | protocol | field_11</P> <P>Yes, the delimiter is space, pipe, space. The problem is those rare events that have | in the url cause the original regex and delims to put information into the wrong field. I wrote this regex</P> <PRE><CODE>^(.*)\s\|\s(.*)\s\|\s(.*)\s\|\s(.*)\s\|\s(.*)\s\|\s(.*)\s\|\s(.*)\s\|\s(.*)\s\|\s\|\s(.*)\s\|\s(.*) </CODE></PRE> <P>and it shows things being extracted properly in the regex tool. When I put it into my laptop Splunk 6.5.2, it doesn’t process. Anyone have a solution for this problem?</P> <P>TIA<BR /> Joe</P> Tue, 29 Sep 2020 13:24:05 GMT https://community.splunk.com/t5/Getting-Data-In/Multicharacter-Event-Delimiter/m-p/294180#M55911 jwhughes58 2020-09-29T13:24:05Z https://community.splunk.com/t5/Getting-Data-In/Multicharacter-Event-Delimiter/m-p/294181#M55912 <P>@jwhughes58...You can add the sample data to Splunk's Interactive Field Extractor and then select the unmatched event with URL having required delimiter so that Splunk re-generates the required reg-ex.</P> <P>Checkout following Splunk Documentation:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/FXSelectFieldsstep">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/FXSelectFieldsstep</A></P> Fri, 24 Mar 2017 20:59:09 GMT https://community.splunk.com/t5/Getting-Data-In/Multicharacter-Event-Delimiter/m-p/294181#M55912 niketn 2017-03-24T20:59:09Z https://community.splunk.com/t5/Getting-Data-In/Multicharacter-Event-Delimiter/m-p/294182#M55913 <P>With kudos to @niketnilay this is the final solution to my regex question.</P> <PRE><CODE>^(\d+/\d+/\d+\s+\d+:\d+:\d+)[^\|\n]*\|\s+([^ ]+)[^\|\n]*\|\s+(\w+)(?:[^ \n]* ){2}([^ ]+)[^\|\n]*\|\s+([^ ]+)\s+\|\s+([^ ]+)[^\|\n]*\|\s+([a-z]+_[a-z]+\d+)[^\|\n]*\|\s+([^ ]+)\s+\|\s+\|\s+(\w+)\s\|\s(.*) </CODE></PRE> <P>It is ugly as all out, but it works.</P> Fri, 24 Mar 2017 22:05:46 GMT https://community.splunk.com/t5/Getting-Data-In/Multicharacter-Event-Delimiter/m-p/294182#M55913 jwhughes58 2017-03-24T22:05:46Z https://community.splunk.com/t5/Getting-Data-In/Multicharacter-Event-Delimiter/m-p/294183#M55914 <P>@jwhughes58... glad it worked <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sat, 25 Mar 2017 16:58:03 GMT https://community.splunk.com/t5/Getting-Data-In/Multicharacter-Event-Delimiter/m-p/294183#M55914 niketn 2017-03-25T16:58:03Z