Splunk Enterprise

Unable to extract unicode charecter from indexed data after applying regex in props.conf

soumyacharya91
Path Finder

Hi,

I am applying a regex to extract values from a string which carries unicode charecters. The strange thing is when I try to apply the regex from my SH it is working fine. But when the same has been applied using props file the result is populating with its hex value. Like if my string contains “O with stroke” I am getting the result as \u00f8 in my search for that character when using field extraction from props.conf. Any help will be highly appreciated.

Thanks,

Tags (1)
0 Karma

mayurr98
Super Champion

Try this run anywhere search

| makeresults 
| eval _raw="user Kim Søby Nielsen from" 
| rex field=_raw "user\s(?<name>.+?(?=\sfrom))"

To automate it,
go to Fields » Field extractions » Add new
Extraction/transforms:
user\s(?<name>.+?(?=\sfrom))

let me know if this helps!

0 Karma

soumyacharya91
Path Finder

No it's not working. Tested and getting the hex value as before. Kim S\u00f8by Nielsen
Updated file in props.conf as EXTRACT-user_role=user\s(?.+?(?=\sfrom))

0 Karma

p_gurav
Champion

Can you tell me what settings you are using in props.conf?

0 Karma

soumyacharya91
Path Finder

Hi Gurav,

The data on which I want to apply the regex is like user Kim Søby Nielsen from.

The expression i'm using in my search heads props.conf is EXTRACT-user_role=user (?.+?) from

The result I'm getting is Kim S\u00f8by Nielsen and the expected result should be like Kim Søby Nielsen which is population if I'm executing the query at the time of search. Query using at search time is rex field=Display "user (?.+?) from"

Thanks

0 Karma

p_gurav
Champion

Can you try using splunk's in-build "Field Extractor".

0 Karma

soumyacharya91
Path Finder

I have already tried that. But it is not working. Still same result.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...