https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203008#M58967 <P>Hello,</P> <P>In props.conf add the following:</P> <PRE><CODE>[rsrs] REPORT-extraction = field_extraction </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[field_extraction] REGEX = (?&lt;field1&gt;\w{1,10})\s*(?&lt;field2&gt;\w{1,18})\s*(?&lt;field3&gt;\d{1,8})\s*(?&lt;field4&gt;\w{1,12})\s* </CODE></PRE> <P>Regards</P> Wed, 21 Sep 2016 14:32:28 GMT aakwah 2016-09-21T14:32:28Z https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203000#M58959 <P>Hi all.</P> <P>I have some log files like this:</P> <PRE><CODE>265964455 00000000000000028000000002Fuerza R 1 0000000100 </CODE></PRE> <P>Field delimitation rules are (in this case, i have similar logs with other character distribution):</P> <PRE><CODE>First 10 characters or 265964455 = FIELD1 Next 18 characters or 000000000000000280 = FIELD2 Next 8 characters or 00000002 = FIELD3 Next 12 charcaters or Fuerza = FIELD4 ... </CODE></PRE> <P>I tried with:</P> <PRE><CODE>sourcetype=rsrs | rex field=MultiField "(?&lt;FIELD1&gt;.{10}) (?&lt;FIELD2&gt;.{18}) (?&lt;FIELD3&gt;.{8}) (?&lt;FIELD4&gt;.{12}) ..." </CODE></PRE> <P>But didn't work. Anyone can help me please?</P> Wed, 21 Sep 2016 03:17:30 GMT https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203000#M58959 changux 2016-09-21T03:17:30Z https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203001#M58960 <P>Try this</P> <PRE><CODE>sourcetype=rsrs | rex "(?&lt;field1&gt;\w{1,10})\s*(?&lt;field2&gt;\w{1,18})\s*(?&lt;field3&gt;\d{1,8})\s*(?&lt;field4&gt;\w{1,12})\s*" </CODE></PRE> Wed, 21 Sep 2016 03:56:38 GMT https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203001#M58960 sundareshr 2016-09-21T03:56:38Z https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203002#M58961 <P>Works great! <BR /> Thanks!<BR /> How i can do permanent it? Sorry for disturb.</P> Wed, 21 Sep 2016 12:14:11 GMT https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203002#M58961 changux 2016-09-21T12:14:11Z https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203003#M58962 <P>permanent it meaning? learning rex?</P> Wed, 21 Sep 2016 12:27:23 GMT https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203003#M58962 inventsekar 2016-09-21T12:27:23Z https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203004#M58963 <P>Thanks. I mean, putting correctly in props.conf. Do you can please help me with the stanza? I don't know if i need transforms.conf also.</P> Wed, 21 Sep 2016 12:29:05 GMT https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203004#M58963 changux 2016-09-21T12:29:05Z https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203005#M58964 <P>You can use this regex in the Field Extraction UI (IFX) OR Add this to your props under the appropriate sourcetype stanza</P> <PRE><CODE>EXTRACT-fields = (?&lt;field1&gt;\w{1,10})\s*(?&lt;field2&gt;\w{1,18})\s*(?&lt;field3&gt;\d{1,8})\s*(?&lt;field4&gt;\w{1,12}) </CODE></PRE> Wed, 21 Sep 2016 13:10:50 GMT https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203005#M58964 sundareshr 2016-09-21T13:10:50Z https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203006#M58965 <P>Thanks a lot. If some field contains symbols, for example <CODE>-</CODE>, how i must catch?</P> <P>Data:</P> <PRE><CODE>000000000001614636IObser4AI-TP </CODE></PRE> <P>Command:</P> <PRE><CODE> | rex "(?&lt;FIELD1&gt;\w{1,10})\s*(?&lt;FIELD2&gt;\w{1,18})\s*(?&lt;FIELD3&gt;\w{1,6})\s*(?&lt;FIELD4&gt;\w{1,6})\s*" </CODE></PRE> <P>FIELD4 returns <CODE>4AI</CODE> and should be <CODE>4AI-TP</CODE>. The symbol <CODE>-</CODE> is a non word character and the expression stops.</P> Wed, 21 Sep 2016 13:43:13 GMT https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203006#M58965 changux 2016-09-21T13:43:13Z https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203007#M58966 <P>Self answered, <CODE>\S{w1,6}</CODE> works! Thanks again!</P> Wed, 21 Sep 2016 13:55:42 GMT https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203007#M58966 changux 2016-09-21T13:55:42Z https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203008#M58967 <P>Hello,</P> <P>In props.conf add the following:</P> <PRE><CODE>[rsrs] REPORT-extraction = field_extraction </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[field_extraction] REGEX = (?&lt;field1&gt;\w{1,10})\s*(?&lt;field2&gt;\w{1,18})\s*(?&lt;field3&gt;\d{1,8})\s*(?&lt;field4&gt;\w{1,12})\s* </CODE></PRE> <P>Regards</P> Wed, 21 Sep 2016 14:32:28 GMT https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203008#M58967 aakwah 2016-09-21T14:32:28Z https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203009#M58968 <P>Thank you!</P> Wed, 21 Sep 2016 15:57:08 GMT https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203009#M58968 changux 2016-09-21T15:57:08Z https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203010#M58969 <P>Last question, how capture the 6 digits/numbers/letters/spaces or whatever.</P> <P>I tried using <CODE>rex</CODE> with <CODE>\S</CODE>, <CODE>\V</CODE> and <CODE>\X</CODE> but doesn't work.</P> <P>Data looks like:</P> <P><A href="https://www.dropbox.com/s/t5lg8tkzt1prje0/sample.txt?raw=1">https://www.dropbox.com/s/t5lg8tkzt1prje0/sample.txt?raw=1</A></P> <P>And my rex expression:</P> <PRE><CODE>... | rex "(?&lt;DATA_ID_NRO_DATA&gt;\S{1,10})\s* ..." </CODE></PRE> <P>One of my problems is with the <CODE>DATA_LUG_EXP</CODE>field that must be return empty (character positions: 141-147 in this line are empty) and returns the value of the next field <CODE>DATA_ID_COD_RES</CODE>, but in general, the data is very complex to extract it perfectly <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Wed, 21 Sep 2016 20:39:24 GMT https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203010#M58969 changux 2016-09-21T20:39:24Z https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203011#M58970 <P>@sundareshr any idea to solve this? The data string has spaces, big text sequences and well, i don't know how proceed.</P> <P>Thanks!</P> Wed, 21 Sep 2016 21:29:20 GMT https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203011#M58970 changux 2016-09-21T21:29:20Z https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203012#M58971 <P>Not sure I understand. In the data example you posted, what would the value for DATA_LUG_EXP be if extracted correctly</P> Tue, 29 Sep 2020 11:06:58 GMT https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203012#M58971 sundareshr 2020-09-29T11:06:58Z https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203013#M58972 <P>No, in the position 141 you doesn't have data, so, the field must be null. I can publish a small dataset to explain in a better way, ok?</P> Thu, 22 Sep 2016 12:50:34 GMT https://community.splunk.com/t5/Splunk-Search/Field-delimitation-using-character-position/m-p/203013#M58972 changux 2016-09-22T12:50:34Z