topic With regex, can you help me with a matching issue for a blank space? in Splunk Search

With regex, can you help me with a matching issue for a blank space?

su_kumar — Sun, 10 Feb 2019 15:04:59 GMT

Hello,

I am having an issue with some regex that I wrote.

it is working fine except for this blank space.

Regex :

SHA:\s(?P<value>[^\,\"]+)\,\sFile:(?P<file>\s*[^\,\"]+)Time:\s(\d+\.?\d*)\s(?:.*)

Sample Log :

Case 1:

SHA: 829d93a28c73a03e832201de5159994, File: Time: 1537775701 details[File Analysis ] ------> not working when File name is blank space.

Case 2:
SHA: 68a4b235449a8c3cfc8ed, File: Guia-Deshaon-quicaTime: 1537780892 details[File Analysis ] -----> working fine.

issue:

Field extraction is not happening for filename in case 1. It is ignoring value for filename,
but in the case 2 field extraction, it is happening.

Please help. I am new to regex.

Re: With regex, can you help me with a matching issue for a blank space?

saurabhkharkar — Sun, 10 Feb 2019 15:48:09 GMT

Try this

SHA:\s(?<SHA>[^\,\"]+)\,\sFile:\s(?<File>.*?)Time:\s(?<Time>\d+)\s.+
| table SHA File Time

Re: With regex, can you help me with a matching issue for a blank space?

su_kumar — Sun, 10 Feb 2019 18:46:02 GMT

it is working on Regex101.com but still field extraction is not happening for file when after File: has space then Time:
log : File: Time:506034567 ---> here After File: has one space then Time: field
Why this field extraction is not happening when File: has space value

Re: With regex, can you help me with a matching issue for a blank space?

saurabhkharkar — Sun, 10 Feb 2019 19:02:59 GMT

seems to be working fine for me 
run this search - string is your sample log

| makeresults
| eval string="SHA: 829d93a28c73a03e832201de5159994, File: Time: 1537775701 details[File Analysis ]"
|rex field=string "SHA:\s(?<SHA>[^\,\"]+)\,\sFile:\s(?<File>.*?)Time:\s(?<Time>\d+)\s.+"
 | table SHA File Time

Re: With regex, can you help me with a matching issue for a blank space?

woodcock — Mon, 11 Feb 2019 07:05:26 GMT

Try this:

... | rex "SHA:\s(?<SHA>[^,]+),\sFile:\s(?<File>\S*?)Time:\s(?<Time>\d+)\sdetails\s*\[(?<details>[^\]]+)"

Re: With regex, can you help me with a matching issue for a blank space?

vinod94 — Mon, 11 Feb 2019 07:20:50 GMT

You can try this,

your search | rex  "SHA\:\s([a-zA-Z0-9]+)\,\sFile\:(?P<File>[^Time].*)Time\:(?P<Time>[^\d]\d+)"

run anywhere this search,

| makeresults 
| eval data="SHA: 829d93a28c73a03e832201de5159994, File: Time: 1537775701 details[File Analysis ];
SHA: 68a4b235449a8c3cfc8ed, File: Guia-Deshaon-quicaTime: 1537780892 details[File Analysis ] " 
| makemv delim=";" data 
| mvexpand data 
| rename data as _raw 
| fields - _time 
| rex field=_raw "SHA\:\s([a-zA-Z0-9]+)\,\sFile\:(?P<File>[^Time].*)Time\:(?P<Time>[^\d]\d+)"

Re: With regex, can you help me with a matching issue for a blank space?

kushagra9120 — Sun, 17 Feb 2019 14:04:36 GMT

| makeresults 
| eval msg="SHA: 829d93a28c73a03e832201de5159994, File: Time: 1537775701 details[File Analysis ] ; SHA: 68a4b235449a8c3cfc8ed, File: Guia-Deshaon-quicaTime: 1537780892 details[File Analysis ]"
| makemv delim=";" msg
| mvexpand msg
| rex field=msg "SHA:\s(?P<value>[^\,\"]+)\,\sFile:(?P<file>\s*[^\,\"]+)?Time:\s(\d+\.?\d*)\s(?:.*)"
| eval file = if('file'=" ","Null",'file')

This should give you two file values Null and Guia-Deshaon-quica

Re: With regex, can you help me with a matching issue for a blank space?

woodcock — Fri, 08 Mar 2019 03:21:02 GMT

Hey, where did you go? Come back here and tell us what happened. Click Accept somewhere and close the question.