topic Re: Multiple capture groups not capturing in Splunk Search

Multiple capture groups not capturing

arielbintang — Sat, 25 Nov 2023 22:02:33 GMT

I have the following log structure:

2023-11-25T21:18:54.244444 [ info ] I am a log message request = GET /api/myendpoint request_id = ff223452

I can capture the date and time (without the 244444 part) using:

rex field=myfield "(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})\.\d+"

and timestamp is properly captured.

But if I try to extend this and want to capture the log level as well with for example:

rex field=myfield "(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})\.\d+\s+\[\s*(?<loglevel>\w+)\s*\]\s+"

It didn't work; none of the timestamp nor the loglevel is captured.

What am I doing wrong?

Re: Multiple capture groups not capturing

ITWhisperer — Sat, 25 Nov 2023 22:52:19 GMT

You don't appear to be doing anything wrong, given the example you have shared.

| makeresults | eval _raw="2023-11-25T21:18:54.244444 [ info ] I am a log message request = GET /api/myendpoint request_id = ff223452" | rex "(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})\.\d+\s+\[\s*(?<loglevel>\w+)\s*\]\s+"

Re: Multiple capture groups not capturing

arielbintang — Sun, 26 Nov 2023 09:10:47 GMT

Thanks for verifying! When I copy paste my log directly to the search box from the log message field and used your makeresults, I see that actually some of the spaces are actually character; do you know why perhaps its not shown in the results itself (and I have to copy paste)?

Re: Multiple capture groups not capturing

ITWhisperer — Sun, 26 Nov 2023 11:31:51 GMT

Assuming that the non-word characters are in the square brackets, you could try something like this

but, ideally, you should ask the developers of the application to not use these characters in the first place.