Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field Extract returns different results than inline rex field

coshea
Engager
‎12-11-2014 08:52 AM

Using Splunk 6.2,

I have a few regex commands that return drastically different results when they are set up using field extractions vs inline seach commands. For example,

Example Log File:

20140915171053989759850769-27156-8.0.0  --Portfolio "MASTER LONG" --PeriodStartDate "January 1, 2014 12:00:00 am" --PeriodEndDate   "September 15, 2014 11:59:59 pm"

Search command (works correctly):

|rex field=_raw "\bPeriodStartDate.*\"(?<PeriodStart>.*)\"" 
|rex field=_raw "\bPeriodEndDate.*\"(?<PeriodEnd>.*)\""
|rex field=_raw "\bPortfolio.*\"(?<Portfolio>.*)\""

Field Extractions: 

\bPeriodEndDate.*\"(?.*)\" 
\bPeriodStartDate.*\"(?.*)\" 
\bPortfolio.*\"(?.*)\"

Could I be doing something wrong in the Field Extractions? I used the same regex in Splunk 6.0 with no issues. Any help would be appreciated!

0 Karma
Reply

landen99
Motivator
‎09-04-2015 05:51 AM

I observed that your solution (above) always captures the end date. Adding \s* as martin suggested does capture everything to the end as you noted. My solution captures exactly what you want efficiently:

-+PeriodEndDate\s+"(?<PeriodEnd>[^"]+)"
-+PeriodStartDate\s+"(?<PeriodStart>[^"]+)"
-+Portfolio\s+"(?<Portfolio>[^"]+)"
0 Karma
Reply

coshea
Engager
‎12-18-2014 12:25 PM

The missing field names inside the capture groups was a bit of a copy and paste error. Here is what I have now:

\bPeriodEndDate.*"(?<PeriodEnd>.*)" 
\bPeriodStartDate.*"(?<PeriodStart>.*)" 
\bPortfolio.*"(?<Portfolio>.*)"

I got rid of the escaped double quote but still can't get it working. If I use \s* it returns the whole log. But if I use .* it returns every event inside of the double quotes.

Thank you for the help

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎12-11-2014 02:31 PM

In rex \" is an escaped double quote, in the field extraction config it's a backslash followed by a double quote - there's no need to escape the double quote because it's not inside a double-quoted string. Additionally it seems your field extraction config is missing the field names inside the capturing groups.

Another unrelated thought, consider using \s* instead of .* to jump the gap between your string and the quoted field value, the .* greedily matches everything which can lead to unexpected results both in rex and field extraction config.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...