Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field Extract returns different results than inline rex field

coshea
Engager
‎12-11-2014 08:52 AM

Using Splunk 6.2,

I have a few regex commands that return drastically different results when they are set up using field extractions vs inline seach commands. For example,

Example Log File:

20140915171053989759850769-27156-8.0.0  --Portfolio "MASTER LONG" --PeriodStartDate "January 1, 2014 12:00:00 am" --PeriodEndDate   "September 15, 2014 11:59:59 pm"

Search command (works correctly):

|rex field=_raw "\bPeriodStartDate.*\"(?<PeriodStart>.*)\"" 
|rex field=_raw "\bPeriodEndDate.*\"(?<PeriodEnd>.*)\""
|rex field=_raw "\bPortfolio.*\"(?<Portfolio>.*)\""

Field Extractions: 

\bPeriodEndDate.*\"(?.*)\" 
\bPeriodStartDate.*\"(?.*)\" 
\bPortfolio.*\"(?.*)\"

Could I be doing something wrong in the Field Extractions? I used the same regex in Splunk 6.0 with no issues. Any help would be appreciated!

0 Karma
Reply

landen99
Motivator
‎09-04-2015 05:51 AM

I observed that your solution (above) always captures the end date. Adding \s* as martin suggested does capture everything to the end as you noted. My solution captures exactly what you want efficiently:

-+PeriodEndDate\s+"(?<PeriodEnd>[^"]+)"
-+PeriodStartDate\s+"(?<PeriodStart>[^"]+)"
-+Portfolio\s+"(?<Portfolio>[^"]+)"
0 Karma
Reply

coshea
Engager
‎12-18-2014 12:25 PM

The missing field names inside the capture groups was a bit of a copy and paste error. Here is what I have now:

\bPeriodEndDate.*"(?<PeriodEnd>.*)" 
\bPeriodStartDate.*"(?<PeriodStart>.*)" 
\bPortfolio.*"(?<Portfolio>.*)"

I got rid of the escaped double quote but still can't get it working. If I use \s* it returns the whole log. But if I use .* it returns every event inside of the double quotes.

Thank you for the help

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎12-11-2014 02:31 PM

In rex \" is an escaped double quote, in the field extraction config it's a backslash followed by a double quote - there's no need to escape the double quote because it's not inside a double-quoted string. Additionally it seems your field extraction config is missing the field names inside the capturing groups.

Another unrelated thought, consider using \s* instead of .* to jump the gap between your string and the quoted field value, the .* greedily matches everything which can lead to unexpected results both in rex and field extraction config.

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...