topic Extraction regular expression in Splunk Search

Extraction regular expression

bharpur183 — Sat, 09 Sep 2017 00:15:42 GMT

I am using the extraction (regular expression) option to extract a particular field from the events.
The issue I am having is the extraction works only for the previous events and not for the current ones coming in. Need some help.

Re: Extraction regular expression

skoelpin — Sat, 09 Sep 2017 00:54:35 GMT

Field extractions are relative to the sourcetype. Are you sure that your using the correct sourcetype when looking at the new field?

Re: Extraction regular expression

cpetterborg — Sat, 09 Sep 2017 01:15:39 GMT

Where is the regular expression? config files, or auto field extractions, or SPL rex in your search?

Re: Extraction regular expression

bharpur183 — Tue, 29 Sep 2020 15:38:45 GMT

So this is the actual event :

9/8/17
8:30:01.598 PM

2017-09-08T20:30:01.598-04:00 INFO m_gchgserv_gchg.cpp(2264)[9] GCHG::sendGchgUpdate() - 105971244 type: 1 note: In-Progress {FIFW GCHG 167015}: Install power supply
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT
Rep : Mike Sunil
Note: Install power supplies

And from this I am trying to extract
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT

This time window is different always depending on work.
The extraction I did shows all the previous ones but not the current ones

Re: Extraction regular expression

bharpur183 — Tue, 29 Sep 2020 15:38:48 GMT

So this is the actual event :

And from this I am trying to extract
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT

This time window is different always depending on work.
The extraction I did shows all the previous ones but not the current ones

Re: Extraction regular expression

skoelpin — Sat, 09 Sep 2017 01:32:58 GMT

Can you provide your regex?

It should look something like this
(?<Field_Name>Scheduled.+)

Re: Extraction regular expression

bharpur183 — Sat, 09 Sep 2017 01:43:54 GMT

Am using the option " Extract new fields " from the left hand side column . The automatic option and no regex command line

Re: Extraction regular expression

skoelpin — Sat, 09 Sep 2017 01:46:20 GMT

Try appending this to the end of your search and see if it created the field Field_Name

| rex (?<Field_Name>Scheduled.+)

Re: Extraction regular expression

bharpur183 — Sat, 09 Sep 2017 01:49:53 GMT

It didn't do anything

Re: Extraction regular expression

gcusello — Sat, 09 Sep 2017 06:05:41 GMT

Hi bharpur183,
Try with this regex in rex command or in field extraction:

| rex "Scheduled\s+:\s+(?<Field_Name>.+)\s+Rep"

test it at https://regex101.com/r/o09dVs/1

Bye.
Giuseppe

Re: Extraction regular expression

woodcock — Sat, 09 Sep 2017 14:50:17 GMT

This is a long shot: are you talking about an accelerated datamodel? When you accelerate a datamodel, it goes through an additional indexing pass that creates index-time fields and it is cooked into the tsidx as it is now. If you change the field extraction, then anything that is cooked after the change will reflect the change but not the stuff already cooked. You can delete your datamodel acceleration and rebuild it.

Re: Extraction regular expression

woodcock — Sat, 09 Sep 2017 14:53:16 GMT

Try making it multiline like this:

| rex "(?ms)[\r\n]+(?<Field_Name>Scheduled[^\r\n]+)"

Re: Extraction regular expression

bharpur183 — Sat, 09 Sep 2017 20:34:37 GMT

That worked. thanks cusello