Splunk Search

Extraction regular expression

bharpur183
Explorer

I am using the extraction (regular expression) option to extract a particular field from the events.
The issue I am having is the extraction works only for the previous events and not for the current ones coming in. Need some help.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi bharpur183,
Try with this regex in rex command or in field extraction:

| rex "Scheduled\s+:\s+(?<Field_Name>.+)\s+Rep"

test it at https://regex101.com/r/o09dVs/1

Bye.
Giuseppe

View solution in original post

0 Karma

woodcock
Esteemed Legend

Try making it multiline like this:

| rex "(?ms)[\r\n]+(?<Field_Name>Scheduled[^\r\n]+)"
0 Karma

woodcock
Esteemed Legend

This is a long shot: are you talking about an accelerated datamodel? When you accelerate a datamodel, it goes through an additional indexing pass that creates index-time fields and it is cooked into the tsidx as it is now. If you change the field extraction, then anything that is cooked after the change will reflect the change but not the stuff already cooked. You can delete your datamodel acceleration and rebuild it.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi bharpur183,
Try with this regex in rex command or in field extraction:

| rex "Scheduled\s+:\s+(?<Field_Name>.+)\s+Rep"

test it at https://regex101.com/r/o09dVs/1

Bye.
Giuseppe

0 Karma

bharpur183
Explorer

That worked. thanks cusello

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Where is the regular expression? config files, or auto field extractions, or SPL rex in your search?

0 Karma

bharpur183
Explorer

So this is the actual event :

9/8/17
8:30:01.598 PM

2017-09-08T20:30:01.598-04:00 INFO m_gchgserv_gchg.cpp(2264)[9] GCHG::sendGchgUpdate() - 105971244 type: 1 note: In-Progress {FIFW GCHG 167015}: Install power supply
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT
Rep : Mike Sunil
Note: Install power supplies

And from this I am trying to extract
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT

This time window is different always depending on work.
The extraction I did shows all the previous ones but not the current ones

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Field extractions are relative to the sourcetype. Are you sure that your using the correct sourcetype when looking at the new field?

0 Karma

bharpur183
Explorer

So this is the actual event :

9/8/17
8:30:01.598 PM

2017-09-08T20:30:01.598-04:00 INFO m_gchgserv_gchg.cpp(2264)[9] GCHG::sendGchgUpdate() - 105971244 type: 1 note: In-Progress {FIFW GCHG 167015}: Install power supply
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT
Rep : Mike Sunil
Note: Install power supplies

And from this I am trying to extract
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT

This time window is different always depending on work.
The extraction I did shows all the previous ones but not the current ones

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Can you provide your regex?

It should look something like this
(?<Field_Name>Scheduled.+)

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Try appending this to the end of your search and see if it created the field Field_Name

| rex (?<Field_Name>Scheduled.+)

0 Karma

bharpur183
Explorer

It didn't do anything

0 Karma

bharpur183
Explorer

Am using the option " Extract new fields " from the left hand side column . The automatic option and no regex command line

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...