Splunk Search

Extraction picking the next match

srinivas_gowda
Path Finder

Hello all,

 

I am trying to extract a field from the below event and the extraction is working fine on events that is coming with the value for the field. However, in the events that are coming in empty values it is picking the next matching value. How to fix it so it only picks the required value and ignore the empty field.

Expression used:

(?:[^,]+,){23}\"(?<occurance>\w+)\",.*

 

Below highlighted is the event that is extracting correct:

50271232,00004102,00000000,1600,"20210901225500","20210901225500",4,-1,-1,"SYSTEM","","System",46769357,"System","Server-I \x83W\x83\x87\x83u\x83l\x83b\x83g(AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds/04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX:@5V689)\x82\xF0\x8AJ\x8En\x82\xB5\x82܂\xB7","Information","admin","/App/Sys/AJS2","JOBNET","AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds/04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX","JOBNET","AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds/04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX","AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds/04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX","START","20210901225500","","",11,"A0","AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds","A1","04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX","A3"

 

The below event does not have the value in the field and the next matching field is picked from below.

50266209,00000501,00000000,3476,"20210901220311","20210901220311",4,-1,-1,"SYSTEM","","psd005",142331,"MS932","OR01201S [psd005:HONDB1] YSN1 free 4.52% \x82\xAA\x82\xB5\x82\xAB\x82\xA2\x92l5%\x82\xF0\x89\xBA\x89\xF1\x82\xE8\x82܂\xB5\x82\xBD (Free size = 1466560KB) [Jp1 Notified]","Alert","","/insight/PI","","","","","","","","","",9,"ACTION_VERSION","510","OPT_CATEGORY","OS","OPT_PARM1","","OPT_PARM2","","OPT_PARM3","","OPT_PARM4","","OPT_SID","HONDB1","OPT_URL1","","OPT_URL2","",

 

Please help in this.

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

You need to us * instead of + to get zero or more - + matches on one or more

(?:[^,]+,){23}\"(?<occurance>\w*)\",.*

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

That's because you have an embedded , in the description. Try something like this:

(?:[^,]+,){14}\"(?<alert_description>[^\"]*)\",.*
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You need to us * instead of + to get zero or more - + matches on one or more

(?:[^,]+,){23}\"(?<occurance>\w*)\",.*

srinivas_gowda
Path Finder

This worked perfect, however, when I try and use the same on the below it is working different.

 

Rex used: (?:[^,]+,){14}\"(?<alert_description>[^,]*)\",.*

 

Correctly extracted event:

50271232,00004102,00000000,1600,"20210901225500","20210901225500",4,-1,-1,"SYSTEM","","psd217",46769357,"MS932","KAVS0260-I \x83W\x83\x87\x83u\x83l\x83b\x83g(AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds/04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX:@5V689)\x82\xF0\x8AJ\x8En\x82\xB5\x82܂\xB7","Information","jp1admin"...........

 

Missing from below event and extracting wrong field:

50271234,00004105,00000000,1600,"20210901225500","20210901225500",4,-1,-1,"SYSTEM","","psd217",46769359,"MS932","KAVS0263-I \x83W\x83\x87\x83u(AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds/04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX/V9B01_B:@5V689)\x82\xF0\x8AJ\x8En\x82\xB5\x82܂\xB7(host: UXC510, JOBID: 56620)","Information","jp1admin"........

 

Did this affect in some way else?

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>