Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extractor Regex bombs on slash

Sageth
New Member
‎01-23-2015 08:09 AM

Hi All -

I have some data as follows in a fixed length log file. 

13170182  1108                                  ABC1D234/EFG56789 I N R SNET0031        0 BPGTCPI1/3712  TCPIP session closed by ABC12D34 from: 10.20.30.40/56927
13170183  1108                                  ABC1D2  /EFG56789 I N R SNET0031        0 BPGTC   /3712  TCPIP session closed by ABC12D34 from: 10.20.30.40/56927

I'm trying to use the field extractor, but for some reason, it bombs out and stops working after the first slash and I've been unable to work around it. This regex works:

(?P<FIELDNAME1>\d{8})\s+(?P<FIELDNAME2>\d{4})\s+(?P<FIELDNAME3>[\w\s]{32})\s+(?P<FIELDNAME4>[\w\s]{8})\/

But as soon as I add the fifth field, there is no data sample returned from the extractor. The regex below doesn't work, but doesn't give me an error. I've tried a few variations, including adding the slash as its own separator field with a {1}, and also trying to do a fieldname4 with {9} (which works), but as soon as I try to get the next character, it stops working again. Like so:

(?P<FIELDNAME1>\d{8})\s+(?P<FIELDNAME2>\d{4})\s+(?P<FIELDNAME3>[\w\s]{32})\s+(?P<FIELDNAME4>[\w\s]{8})\/(?P<FIELDNAME5>[\w\s]{8})/s+

Any ideas on what I'm missing? Is there are character limit I'm hitting against?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aholzer
Motivator
‎01-23-2015 08:19 AM

You have the wrong "slash" on the last "/s+". it should be a backslash: \s+

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-23-2015 08:33 AM

Your second regex string does not escape the last slash. Are you sure you have the field widths correct? When I add them up, field5 does not end with a slash.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

aholzer
Motivator
‎01-23-2015 08:19 AM

You have the wrong "slash" on the last "/s+". it should be a backslash: \s+

Reply
Solved! Jump to solution

Sageth
New Member
‎01-23-2015 08:23 AM

Holy dumb. I spent 3 hours on that and never realized. It works. Thank you!

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...