topic Re: error on field extraction using regex !! in Splunk Search

error on field extraction using regex !!

sg5258 — Fri, 15 Jun 2012 03:21:44 GMT

Hi,

i am trying to use regex to extract field.. and i facing some problem when it has null value on the field.. i will give example on the following:

field1      field2           field3
AAAAA       BBBBB            CCCCC
DDDDD                        EEEEE
FFFFF                        
GGGGG       HHHHH

i use regex in my transform.conf as follow

[transform-impressio]
REGEX = (.{5})(.{12})(.{17})
FORMAT = field1::"$1" field2::"$2 field3::"$3

Basically this regex does for everything from the first 5 character belong to field1 and next 12 belong to field 2 and next 17 belong to field 3

However, when i search on splunk it return me.

field1     field 2      field 3
AAAAA      BBBBB        CCCCC
DDDDD                   EEEEE

it missing the another 2 row

And i understand it is because that if it has empty space on last field then this regex couldn't work!!..
anyone has good suggestion on it?

thanks

Re: error on field extraction using regex !!

Ayn — Fri, 15 Jun 2012 05:16:27 GMT

You should consider splitting this up into separate regex for each field instead of one huge regex containing all matches. Could you paste some actual events that you want to match on?

Re: error on field extraction using regex !!

kristian_kolb — Fri, 15 Jun 2012 08:10:40 GMT

As Ayn said, always post sample events in order to get any decent help on regex questions. Also, there seems to be some unbalanced double-quotes in your FORMAT =. Not sure you need quotes at all.