Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field Extract returns different results than inline rex field

coshea
Engager
‎12-11-2014 08:52 AM

Using Splunk 6.2,

I have a few regex commands that return drastically different results when they are set up using field extractions vs inline seach commands. For example,

Example Log File:

20140915171053989759850769-27156-8.0.0  --Portfolio "MASTER LONG" --PeriodStartDate "January 1, 2014 12:00:00 am" --PeriodEndDate   "September 15, 2014 11:59:59 pm"

Search command (works correctly):

|rex field=_raw "\bPeriodStartDate.*\"(?<PeriodStart>.*)\"" 
|rex field=_raw "\bPeriodEndDate.*\"(?<PeriodEnd>.*)\""
|rex field=_raw "\bPortfolio.*\"(?<Portfolio>.*)\""

Field Extractions: 

\bPeriodEndDate.*\"(?.*)\" 
\bPeriodStartDate.*\"(?.*)\" 
\bPortfolio.*\"(?.*)\"

Could I be doing something wrong in the Field Extractions? I used the same regex in Splunk 6.0 with no issues. Any help would be appreciated!

0 Karma
Reply

landen99
Motivator
‎09-04-2015 05:51 AM

I observed that your solution (above) always captures the end date. Adding \s* as martin suggested does capture everything to the end as you noted. My solution captures exactly what you want efficiently:

-+PeriodEndDate\s+"(?<PeriodEnd>[^"]+)"
-+PeriodStartDate\s+"(?<PeriodStart>[^"]+)"
-+Portfolio\s+"(?<Portfolio>[^"]+)"
0 Karma
Reply

coshea
Engager
‎12-18-2014 12:25 PM

The missing field names inside the capture groups was a bit of a copy and paste error. Here is what I have now:

\bPeriodEndDate.*"(?<PeriodEnd>.*)" 
\bPeriodStartDate.*"(?<PeriodStart>.*)" 
\bPortfolio.*"(?<Portfolio>.*)"

I got rid of the escaped double quote but still can't get it working. If I use \s* it returns the whole log. But if I use .* it returns every event inside of the double quotes.

Thank you for the help

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎12-11-2014 02:31 PM

In rex \" is an escaped double quote, in the field extraction config it's a backslash followed by a double quote - there's no need to escape the double quote because it's not inside a double-quoted string. Additionally it seems your field extraction config is missing the field names inside the capturing groups.

Another unrelated thought, consider using \s* instead of .* to jump the gap between your string and the quoted field value, the .* greedily matches everything which can lead to unexpected results both in rex and field extraction config.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...