Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- why does a ".*" extraction line ruin my query?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
why does a ".*" extraction line ruin my query?
Here is my original query:
tag=autoexpress_prod level=debug mdc.InvocationName=calculatePremiumAutoProcessc "serviceRequestName"
| rex field=message "<FirstName>(?
| rex field=message "<LastName>(?
| rex field=message "<MaritalStatus>(?
| dedup Married Fname Lname mdc.QuoteID
| join mdc.QuoteID
[search tag=autoexpress_prod level=debug mdc.InvocationName=recordBillingAccount "webservice request XML"
| rex field=message "<bil:externalPolicyNum>(?
| rename mdc.State as State, mdc.QuoteID as QuoteID
| table _time, PolicyNumber, State, QuoteID, Fname, Lname, Married
| sort 0 Fname Lname
| streamstats count by Fname Lname QuoteID
| eventstats max(count) as keep by Fname Lname
| search keep=2
it looks for people that change their marital status. The problem arises when I add this line: | rex field=message"<DECFirstName>(?<Message>.*)</DECFirstName>"
it completely prevents the query from grabbing certain pieces of data and I have no idea why?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure if it is just the formatting or a typo, but after the field=message you don't have a space before the double quote. That causes an error in the rex command processing. I tried this, which worked:
| makeresults | eval message="<DECFirstName>This is it</DECFirstName>" | rex field=message "\<DECFirstName\>(?<Message>.*)\</DECFirstName\>"
So I think that your rex is almost fine, it the only thing is the spacing before the double quote.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's what it looks like to me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi tfortne,
could you share your search using the Code sample button (101 010) because we cannot see your regexes.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tag=autoexpress_prod level=debug mdc.InvocationName=calculatePremiumAutoProcessc "serviceRequestName"
| rex field=message "\<DECFirstName\>(?<Message>.*)\</DECFirstName\>"
| rex field=message "\<FirstName\>(?<Fname>\w+)"
| rex field=message "\<LastName\>(?<Lname>\w+)"
| rex field=message "\<MaritalStatus\>(?<Married>\w+)"
| dedup Married Fname Lname mdc.QuoteID
| join mdc.QuoteID
[search tag=autoexpress_prod level=debug mdc.InvocationName=recordBillingAccount "webservice request XML"
| rex field=message "\<bil:externalPolicyNum\>(?<PolicyNumber>.{0,12})"]
| rename mdc.State as State, mdc.QuoteID as QuoteID
| table _time, PolicyNumber, State, Fname, Lname, Married, Message
| sort 0 Fname Lname
| streamstats count by Fname Lname QuoteID
| eventstats max(count) as keep by Fname Lname
| search keep=2
Here, sorry about that. I tried the fix, and it seemed to work, But i think the issue appears when i add the sorting function to it. For some reason the DECFirstName field makes the code drop results.
September Community Champions: A Shoutout to Our Contributors!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
