topic Re: Query regarding splunk field extraction in Splunk Search

Query regarding splunk field extraction

p_basanth — Wed, 20 Mar 2013 04:06:14 GMT

Using the below regex I was able to extract first7 fields
Need to extract the last 3 fields
How to skip the blank <> <> tags and continue?

Sample Event:

####(DateTime) (Info) (Health) (host.domain.name) (component1) (component2) ((anonymous)) () () (1363678659879) (BEA-310002) (54% of the total memory in the server is free)

The original event has angular braces <> as the field delimiter above. Due to browser compatibility i have changed them to normal braces()

Regex working fine (first 7 fields):

####<(?P< F1>[^>]+)> \s+<(?P[^>]+)>\s+<(?P[^>]+)>\s+<(?P[^.]+)[^<\n]<(?P[^>]+)>\s+<(?P[^>]+)>\s+<(?P[^>]+>)>

Below regex not working (after 7th field):

####<(?P< FIELDNAME1>[^>]+)> \s+<(?P[^>]+)>\s+<(?P[^>]+)>\s+<(?P[^.]+)[^<\n]<(?P[^>]+)>\s+<(?P[^>]+)>\s+<(?P[^>]+>)>[^>\n]>\s[^>\n]>\s+<(?P[^>]+)>\s+<(?P[^>]+)>\s+<(?P[^>]+)>

Re: Query regarding splunk field extraction

p_basanth — Wed, 20 Mar 2013 04:07:46 GMT

Original sample Event:

 ####      <> <> <> <1363678659879>  <54% of the total memory in the server is free>

Re: Query regarding splunk field extraction

datasearchninja — Wed, 20 Mar 2013 04:16:14 GMT

You need to change the '+' to a '*' in any field that can be empty.

e.g:
[^>]+ must match at least one character that is not '>'
[^>]* can match no characters

Re: Query regarding splunk field extraction

p_basanth — Wed, 20 Mar 2013 04:34:28 GMT

No luck !! Tried '*' in the place of '+'. Not able to locate 3rd last field

Re: Query regarding splunk field extraction

p_basanth — Wed, 20 Mar 2013 04:55:40 GMT

Figured out the issue. The field before empty has 2 angular braces <>. Now working fine. Thanks for the pointer.