Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extractor Regex bombs on slash

Sageth
New Member
‎01-23-2015 08:09 AM

Hi All -

I have some data as follows in a fixed length log file. 

13170182  1108                                  ABC1D234/EFG56789 I N R SNET0031        0 BPGTCPI1/3712  TCPIP session closed by ABC12D34 from: 10.20.30.40/56927
13170183  1108                                  ABC1D2  /EFG56789 I N R SNET0031        0 BPGTC   /3712  TCPIP session closed by ABC12D34 from: 10.20.30.40/56927

I'm trying to use the field extractor, but for some reason, it bombs out and stops working after the first slash and I've been unable to work around it. This regex works:

(?P<FIELDNAME1>\d{8})\s+(?P<FIELDNAME2>\d{4})\s+(?P<FIELDNAME3>[\w\s]{32})\s+(?P<FIELDNAME4>[\w\s]{8})\/

But as soon as I add the fifth field, there is no data sample returned from the extractor. The regex below doesn't work, but doesn't give me an error. I've tried a few variations, including adding the slash as its own separator field with a {1}, and also trying to do a fieldname4 with {9} (which works), but as soon as I try to get the next character, it stops working again. Like so:

(?P<FIELDNAME1>\d{8})\s+(?P<FIELDNAME2>\d{4})\s+(?P<FIELDNAME3>[\w\s]{32})\s+(?P<FIELDNAME4>[\w\s]{8})\/(?P<FIELDNAME5>[\w\s]{8})/s+

Any ideas on what I'm missing? Is there are character limit I'm hitting against?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aholzer
Motivator
‎01-23-2015 08:19 AM

You have the wrong "slash" on the last "/s+". it should be a backslash: \s+

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-23-2015 08:33 AM

Your second regex string does not escape the last slash. Are you sure you have the field widths correct? When I add them up, field5 does not end with a slash.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

aholzer
Motivator
‎01-23-2015 08:19 AM

You have the wrong "slash" on the last "/s+". it should be a backslash: \s+

Reply
Solved! Jump to solution

Sageth
New Member
‎01-23-2015 08:23 AM

Holy dumb. I spent 3 hours on that and never realized. It works. Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...