Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Field Extractor Regex bombs on slash

Sageth
New Member
‎01-23-2015 08:09 AM

Hi All -

I have some data as follows in a fixed length log file. 

13170182  1108                                  ABC1D234/EFG56789 I N R SNET0031        0 BPGTCPI1/3712  TCPIP session closed by ABC12D34 from: 10.20.30.40/56927
13170183  1108                                  ABC1D2  /EFG56789 I N R SNET0031        0 BPGTC   /3712  TCPIP session closed by ABC12D34 from: 10.20.30.40/56927

I'm trying to use the field extractor, but for some reason, it bombs out and stops working after the first slash and I've been unable to work around it. This regex works:

(?P<FIELDNAME1>\d{8})\s+(?P<FIELDNAME2>\d{4})\s+(?P<FIELDNAME3>[\w\s]{32})\s+(?P<FIELDNAME4>[\w\s]{8})\/

But as soon as I add the fifth field, there is no data sample returned from the extractor. The regex below doesn't work, but doesn't give me an error. I've tried a few variations, including adding the slash as its own separator field with a {1}, and also trying to do a fieldname4 with {9} (which works), but as soon as I try to get the next character, it stops working again. Like so:

(?P<FIELDNAME1>\d{8})\s+(?P<FIELDNAME2>\d{4})\s+(?P<FIELDNAME3>[\w\s]{32})\s+(?P<FIELDNAME4>[\w\s]{8})\/(?P<FIELDNAME5>[\w\s]{8})/s+

Any ideas on what I'm missing? Is there are character limit I'm hitting against?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aholzer
Motivator
‎01-23-2015 08:19 AM

You have the wrong "slash" on the last "/s+". it should be a backslash: \s+

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-23-2015 08:33 AM

Your second regex string does not escape the last slash. Are you sure you have the field widths correct? When I add them up, field5 does not end with a slash.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

aholzer
Motivator
‎01-23-2015 08:19 AM

You have the wrong "slash" on the last "/s+". it should be a backslash: \s+

Reply
Solved! Jump to solution

Sageth
New Member
‎01-23-2015 08:23 AM

Holy dumb. I spent 3 hours on that and never realized. It works. Thank you!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...