Hello, I am trying to extract some values with splunk using the rex command. When I extract it, I get values, but some of the values are incorrect. One of my values is 30, but I notice that splunk only seems to extra the "3" from 30 and displays it.
Here is my search:
index=monitoring sourcetype=PEGA:WinEventLog:Application ( SourceName="RoboticLogging" OR SourceName="Application" ) ("Type=" "Information") | rex "Number of New Employees in NEO Report without job title Temporary Agy Svc Asst:\s*(?<ex>[^4]+?)" | rex field=_raw "Department=\"(?<dept>.+?)\"" | where dept = "HRSS_NEO" OR dept = "HRSS Daily NEO Report" | rex field=_raw "Automation=\"(?<auto>.+?)\"" | where auto = "NEO_P_SplunkMetrics" | bucket _time span=day | eval Time = strftime(_time, "%b %d, %Y") | fields - _time | dedup Time | table Time, ex | rename ex as "No. of Employees" | sort Time desc
On bar chart, the 30 is shown as a 3. While the 5 is shown as normal. See highlighted.
Attached screen shots of the searches.
Your extract is not greedy enough. The question mark tells it to stop as soon as possible.
A better solution to try, which tells it to stop matching at the comma:
| rex "Number of New Employees in NEO Report without job title Temporary Agy Svc Asst:\s*(?<ex>[^,]+)"
Be careful with the use of the question mark when extracting, because you may not get everything you expect. Take a look in the posts with the
regex tags for great examples. One very useful tactic is to use the not-match. If you know the item you seek is followed by a comma, then match everything that is not a comma, which would be:
This is often much more effective than trying to define everything that does belong in the character class, if you simply know what doesn't belong.