https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156772#M44105 <P>Ayn, I actually read your notes here: <A href="http://answers.splunk.com/answers/67170/index-time-field-extraction">http://answers.splunk.com/answers/67170/index-time-field-extraction</A> about using search-time extractions....and I just learned what the difference is from the docs!</P> Tue, 26 Nov 2013 22:18:23 GMT RMartinezDTV 2013-11-26T22:18:23Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156765#M44098 <P>Hi, I'm working on a Regex for field extractions of an alert log. The log has 1 line per alert in the following format:</P> <PRE><CODE>[11/26/2013 9:13:41 AM] Server1 LogTest: /var/log Ok Text Log test [11/26/2013 9:13:36 AM] Server1 LogTest: /var/log Bad &lt;......data.......&gt; Text Log test </CODE></PRE> <P>The difficulty comes when handling some OK statuses; you'll notice here that a 'Bad' status returns data (the relevant log lines), but an 'Ok' status returns a blank (actually 2 tabs) data section.</P> <P>It seems like every regex I come up with will accidentally capture some part of <CODE>Text Log test</CODE> and use that as part of all of the <CODE>data</CODE> section when <CODE>data</CODE> isn't present.</P> <P>Can I get some pointers on the proper regex expression? My current regex is below, and I think I've exhausted the guess and check method. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <PRE><CODE>]\t+\s+(?P&lt;server&gt;.+?)\s+(?P&lt;category&gt;.+?)\s(?P&lt;object&gt;.+?)\t(?P&lt;status&gt;.+?)\t(?P&lt;data&gt;.+?)\t(?P&lt;test&gt;.+?) </CODE></PRE> Tue, 26 Nov 2013 17:32:22 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156765#M44098 RMartinezDTV 2013-11-26T17:32:22Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156766#M44099 <P>Have you tried setting this up for search time extraction using the log delimiter and a preset series of fields?</P> Tue, 26 Nov 2013 17:44:58 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156766#M44099 lukejadamec 2013-11-26T17:44:58Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156767#M44100 <P>DELIMS doesn't work as an index-time extraction, and index-time extractions should be avoided unless you really know what you're doing and why.</P> Tue, 26 Nov 2013 18:09:31 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156767#M44100 Ayn 2013-11-26T18:09:31Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156768#M44101 <P>My mistake, a search time field extraction.</P> Tue, 26 Nov 2013 18:25:12 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156768#M44101 lukejadamec 2013-11-26T18:25:12Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156769#M44102 <P>Would it work better if you change the end </P> <PRE><CODE>(?P&lt;status&gt;.+?)\t(?P&lt;data&gt;.+?)\t(?P&lt;test&gt;.+?) </CODE></PRE> <P>to</P> <PRE><CODE>(?P&lt;status&gt;.+)\t(?P&lt;data&gt;.*)\t(?P&lt;test&gt;.+) </CODE></PRE> <P>then you <DATA> should match to an empty string if there is just 2 tabs in case of "Ok"? It sounds too easy and I didn't test it with Splunk, so maybe I'm missing something?</DATA></P> Tue, 26 Nov 2013 20:13:25 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156769#M44102 kallu 2013-11-26T20:13:25Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156770#M44103 <P>Thanks! This was almost perfect. See my answer below.</P> Tue, 26 Nov 2013 22:15:59 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156770#M44103 RMartinezDTV 2013-11-26T22:15:59Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156771#M44104 <P>Probably tacky to accept my own answer, but here's the final result for reference:</P> <PRE><CODE>]\t+\s+(?P&lt;server&gt;.+?)\s+(?P&lt;category&gt;.+?):\s(?P&lt;object&gt;.+?)\t(?P&lt;status&gt;.+?)\t(?P&lt;data&gt;.*)\t(?P&lt;test&gt;.*)\t </CODE></PRE> <P>This correctly matches event when a field has blank data. Adjust punctuation (\t,\s,:, and ]) as needed for your data.</P> Tue, 26 Nov 2013 22:17:20 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156771#M44104 RMartinezDTV 2013-11-26T22:17:20Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156772#M44105 <P>Ayn, I actually read your notes here: <A href="http://answers.splunk.com/answers/67170/index-time-field-extraction">http://answers.splunk.com/answers/67170/index-time-field-extraction</A> about using search-time extractions....and I just learned what the difference is from the docs!</P> Tue, 26 Nov 2013 22:18:23 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Regex-When-Column-Is-Sometimes-Absent/m-p/156772#M44105 RMartinezDTV 2013-11-26T22:18:23Z