Solved: Extraction regular expression

bharpur183 · ‎09-08-2017

I am using the extraction (regular expression) option to extract a particular field from the events.
The issue I am having is the extraction works only for the previous events and not for the current ones coming in. Need some help.

gcusello · ‎09-08-2017

Hi bharpur183,
Try with this regex in rex command or in field extraction:

| rex "Scheduled\s+:\s+(?<Field_Name>.+)\s+Rep"

test it at https://regex101.com/r/o09dVs/1

Bye.
Giuseppe

View solution in original post

woodcock · ‎09-09-2017

Try making it multiline like this:

| rex "(?ms)[\r\n]+(?<Field_Name>Scheduled[^\r\n]+)"

woodcock · ‎09-09-2017

This is a long shot: are you talking about an accelerated datamodel? When you accelerate a datamodel, it goes through an additional indexing pass that creates index-time fields and it is cooked into the tsidx as it is now. If you change the field extraction, then anything that is cooked after the change will reflect the change but not the stuff already cooked. You can delete your datamodel acceleration and rebuild it.

gcusello · ‎09-08-2017

Hi bharpur183,
Try with this regex in rex command or in field extraction:

| rex "Scheduled\s+:\s+(?<Field_Name>.+)\s+Rep"

test it at https://regex101.com/r/o09dVs/1

Bye.
Giuseppe

bharpur183 · ‎09-09-2017

That worked. thanks cusello

cpetterborg · ‎09-08-2017

Where is the regular expression? config files, or auto field extractions, or SPL rex in your search?

bharpur183 · ‎09-08-2017

So this is the actual event :

9/8/17
8:30:01.598 PM

2017-09-08T20:30:01.598-04:00 INFO m_gchgserv_gchg.cpp(2264)[9] GCHG::sendGchgUpdate() - 105971244 type: 1 note: In-Progress {FIFW GCHG 167015}: Install power supply
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT
Rep : Mike Sunil
Note: Install power supplies

And from this I am trying to extract
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT

This time window is different always depending on work.
The extraction I did shows all the previous ones but not the current ones

skoelpin · ‎09-08-2017

Field extractions are relative to the sourcetype. Are you sure that your using the correct sourcetype when looking at the new field?

bharpur183 · ‎09-08-2017

So this is the actual event :

9/8/17
8:30:01.598 PM

2017-09-08T20:30:01.598-04:00 INFO m_gchgserv_gchg.cpp(2264)[9] GCHG::sendGchgUpdate() - 105971244 type: 1 note: In-Progress {FIFW GCHG 167015}: Install power supply
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT
Rep : Mike Sunil
Note: Install power supplies

And from this I am trying to extract
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT

This time window is different always depending on work.
The extraction I did shows all the previous ones but not the current ones

skoelpin · ‎09-08-2017

Can you provide your regex?

It should look something like this
(?<Field_Name>Scheduled.+)

skoelpin · ‎09-08-2017

Try appending this to the end of your search and see if it created the field Field_Name

| rex (?<Field_Name>Scheduled.+)

bharpur183 · ‎09-08-2017

It didn't do anything

bharpur183 · ‎09-08-2017

Am using the option " Extract new fields " from the left hand side column . The automatic option and no regex command line

Extraction regular expression

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform