Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me create the regex that captures a string with a space in it?

jip31
Motivator
‎11-26-2018 10:20 PM

Hello

I have a field with a space in the string :

Model=WDC WD5000LPLX-60ZNTT1

But SPLUNK displays only the characters WDC because of the space.

I need a regex please which displays WDC WD5000LPLX-60ZNTT1 (so with the space) but that will be readable by Splunk.

Thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MathiasLindblom
Path Finder
‎11-26-2018 11:13 PM

If we assume that whatever comes after Model= is fixed, eg:

Model=WDC WD5000LPLX-60ZNTT1 Test=XYZ

You could use a lookahead to "Test" like this:

    Model=(?P<Model>.*(?!Test))\s

Hope this could help, otherwise it would help with the entire event as mentioned before.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MathiasLindblom
Path Finder
‎11-26-2018 11:13 PM

If we assume that whatever comes after Model= is fixed, eg:

Model=WDC WD5000LPLX-60ZNTT1 Test=XYZ

You could use a lookahead to "Test" like this:

    Model=(?P<Model>.*(?!Test))\s

Hope this could help, otherwise it would help with the entire event as mentioned before.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎11-27-2018 12:44 AM

I done | rex field=Caption "(?P(?!Test))\s" but i have the message⚠ Error in 'rex' command: Encountered the following error while compiling the regex '(?P(?!Test))\s': Regex: unrecognized character after (?P

0 Karma
Reply
Solved! Jump to solution

MathiasLindblom
Path Finder
‎11-27-2018 01:32 AM

If the event is on one line, you can use this:

| rex field=_raw "Model=(?P<Model>.*?)\sName"
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎11-27-2018 01:42 AM

perfect thanks

0 Karma
Reply
Solved! Jump to solution

MathiasLindblom
Path Finder
‎11-27-2018 01:25 AM

Hi,

seems like I lost a few characters when posting. If the event are as you described above, where they are all on each line, this regex should work:

| rex field=_raw "Model=(?P<Model>[^\n]*)"
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-26-2018 10:28 PM

we need to see the entire event (preferably several of them).

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎11-27-2018 12:46 AM

here is an example of one event fields
20181121161210.530611
Caption=WDC WD5000LPLX-60ZNTT1
DeviceID=\.\PHYSICALDRIVE0
FirmwareRevision=02.01A02
Model=WDC WD5000LPLX-60ZNTT1
Name=\.\PHYSICALDRIVE0
Size=500105249280
Status=OK
wmi_type=DiskDrive

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...