topic Rex Field in Splunk Search

Rex Field

jwursteisen — Fri, 17 Jun 2022 18:42:34 GMT

...

Re: Rex Field

ITWhisperer — Fri, 17 Jun 2022 16:19:55 GMT

Please check (and correct if necessary) the formatting of the second example, for instance, in the first example, the colon (:) sometimes has a space after and sometimes before as well. Since spaces are used in your pattern matching, it is important to get this as accurate as possible.

Re: Rex Field

jwursteisen — Fri, 17 Jun 2022 16:39:01 GMT

Thank you, I looked into the formatting of the spaces. In the second event, there is no space between backendIdentifier and GFEDCBA-UUU, ceoCompanyId and EDCBA222, SOURCE_SYSTEM and SOURC1. There is a space between 'ERP_CLIENT:' and 'true'

logMessage: backendIdentifier:GFEDCBA-UUU ~ ceoCompanyId:EDCBA222 ~ SOURCE_SYSTEM:SOURC1 ~ ERP_CLIENT: true

In the first example, there a space before and after these words:

logMessage: ceoCompanyId : ABCDE111 ~ SOURCE_SYSTEM : SOURC1 ~ ERP_CLIENT: true

Do you think this may have an effect on the missing result?

Re: Rex Field

ITWhisperer — Fri, 17 Jun 2022 16:48:38 GMT

Definitely.

Try this instead of the rex

Re: Rex Field

jwursteisen — Fri, 17 Jun 2022 17:36:08 GMT

Excellent. That worked prefect! Thank you very much!