Splunk Search
Highlighted

Extraction regular expression

Explorer

I am using the extraction (regular expression) option to extract a particular field from the events.
The issue I am having is the extraction works only for the previous events and not for the current ones coming in. Need some help.

0 Karma
Highlighted

Re: Extraction regular expression

SplunkTrust
SplunkTrust

Field extractions are relative to the sourcetype. Are you sure that your using the correct sourcetype when looking at the new field?

0 Karma
Highlighted

Re: Extraction regular expression

Explorer

So this is the actual event :

9/8/17
8:30:01.598 PM

2017-09-08T20:30:01.598-04:00 INFO mgchgservgchg.cpp(2264)[9] GCHG::sendGchgUpdate() - 105971244 type: 1 note: In-Progress {FIFW GCHG 167015}: Install power supply
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT
Rep : Mike Sunil
Note: Install power supplies

And from this I am trying to extract
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT

This time window is different always depending on work.
The extraction I did shows all the previous ones but not the current ones

0 Karma
Highlighted

Re: Extraction regular expression

SplunkTrust
SplunkTrust

Can you provide your regex?

It should look something like this
(?<Field_Name>Scheduled.+)

0 Karma
Highlighted

Re: Extraction regular expression

Explorer

Am using the option " Extract new fields " from the left hand side column . The automatic option and no regex command line

0 Karma
Highlighted

Re: Extraction regular expression

SplunkTrust
SplunkTrust

Try appending this to the end of your search and see if it created the field Field_Name

| rex (?<Field_Name>Scheduled.+)

0 Karma
Highlighted

Re: Extraction regular expression

Explorer

It didn't do anything

0 Karma
Highlighted

Re: Extraction regular expression

SplunkTrust
SplunkTrust

Where is the regular expression? config files, or auto field extractions, or SPL rex in your search?

0 Karma
Highlighted

Re: Extraction regular expression

Explorer

So this is the actual event :

9/8/17
8:30:01.598 PM

2017-09-08T20:30:01.598-04:00 INFO mgchgservgchg.cpp(2264)[9] GCHG::sendGchgUpdate() - 105971244 type: 1 note: In-Progress {FIFW GCHG 167015}: Install power supply
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT
Rep : Mike Sunil
Note: Install power supplies

And from this I am trying to extract
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT

This time window is different always depending on work.
The extraction I did shows all the previous ones but not the current ones

0 Karma
Highlighted

Re: Extraction regular expression

Legend

Hi bharpur183,
Try with this regex in rex command or in field extraction:

| rex "Scheduled\s+:\s+(?<Field_Name>.+)\s+Rep"

test it at https://regex101.com/r/o09dVs/1

Bye.
Giuseppe

View solution in original post

0 Karma