Splunk Search

Extraction regular expression

Explorer

I am using the extraction (regular expression) option to extract a particular field from the events.
The issue I am having is the extraction works only for the previous events and not for the current ones coming in. Need some help.

0 Karma
1 Solution

Legend

Hi bharpur183,
Try with this regex in rex command or in field extraction:

| rex "Scheduled\s+:\s+(?<Field_Name>.+)\s+Rep"

test it at https://regex101.com/r/o09dVs/1

Bye.
Giuseppe

View solution in original post

0 Karma

Esteemed Legend

Try making it multiline like this:

| rex "(?ms)[\r\n]+(?<Field_Name>Scheduled[^\r\n]+)"
0 Karma

Esteemed Legend

This is a long shot: are you talking about an accelerated datamodel? When you accelerate a datamodel, it goes through an additional indexing pass that creates index-time fields and it is cooked into the tsidx as it is now. If you change the field extraction, then anything that is cooked after the change will reflect the change but not the stuff already cooked. You can delete your datamodel acceleration and rebuild it.

0 Karma

Legend

Hi bharpur183,
Try with this regex in rex command or in field extraction:

| rex "Scheduled\s+:\s+(?<Field_Name>.+)\s+Rep"

test it at https://regex101.com/r/o09dVs/1

Bye.
Giuseppe

View solution in original post

0 Karma

Explorer

That worked. thanks cusello

0 Karma

SplunkTrust
SplunkTrust

Where is the regular expression? config files, or auto field extractions, or SPL rex in your search?

0 Karma

Explorer

So this is the actual event :

9/8/17
8:30:01.598 PM

2017-09-08T20:30:01.598-04:00 INFO m_gchgserv_gchg.cpp(2264)[9] GCHG::sendGchgUpdate() - 105971244 type: 1 note: In-Progress {FIFW GCHG 167015}: Install power supply
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT
Rep : Mike Sunil
Note: Install power supplies

And from this I am trying to extract
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT

This time window is different always depending on work.
The extraction I did shows all the previous ones but not the current ones

0 Karma

SplunkTrust
SplunkTrust

Field extractions are relative to the sourcetype. Are you sure that your using the correct sourcetype when looking at the new field?

0 Karma

Explorer

So this is the actual event :

9/8/17
8:30:01.598 PM

2017-09-08T20:30:01.598-04:00 INFO m_gchgserv_gchg.cpp(2264)[9] GCHG::sendGchgUpdate() - 105971244 type: 1 note: In-Progress {FIFW GCHG 167015}: Install power supply
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT
Rep : Mike Sunil
Note: Install power supplies

And from this I am trying to extract
Scheduled : 09/09/2017 00:30 GMT to 09/09/2017 03:30 GMT

This time window is different always depending on work.
The extraction I did shows all the previous ones but not the current ones

0 Karma

SplunkTrust
SplunkTrust

Can you provide your regex?

It should look something like this
(?<Field_Name>Scheduled.+)

0 Karma

SplunkTrust
SplunkTrust

Try appending this to the end of your search and see if it created the field Field_Name

| rex (?<Field_Name>Scheduled.+)

0 Karma

Explorer

It didn't do anything

0 Karma

Explorer

Am using the option " Extract new fields " from the left hand side column . The automatic option and no regex command line

0 Karma