Solved: Field extraction does not work when the second fie...

asharmaeqfx · ‎09-29-2020

Hi Splunkers,

I have set up a field extractor and it does not work when the log entry is empty. For e.g

Field extraction syntax is

---------------------------

(?:[^=\n]*=){9}"(?P<frontEndLatency>\d+)"\s+\w+="(?P<backEndLatency>\d+)

--------------------------

Log messages

---------------------

blah blah contentType="text/xml" frontEndLatency="587" backEndLatency="391" messages= blah

---------------

It extracts correctly frontEndLatency="587" and backEndLatency="391"

If somehow in the log file one of the field is empty, it does not extracts properly

Log Messages

-------------

blah blah contentType="text/xml" frontEndLatency="1795" backEndLatency="" messages= blah blah

--------------

How to set this up or handle it via field extraction? Your help is much appreciated.

Thanks,

ITWhisperer · ‎09-29-2020

Change this part of the regex

(?P<backEndLatency>\d+)

to

(?P<backEndLatency>\d*)

The "+" means at least 1 which doesn't match your failing example, "*" means any number including zero which does match your example

asharmaeqfx · ‎10-05-2020

Thanks ITWhisperer

It is working fine. I applied it last tuesday and it works like a charm.

Appreciate it.

Thanks,
Amit

ITWhisperer · ‎09-29-2020

Change this part of the regex

(?P<backEndLatency>\d+)

to

(?P<backEndLatency>\d*)

The "+" means at least 1 which doesn't match your failing example, "*" means any number including zero which does match your example

Field extraction does not work when the second field is empty