Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extractor Regex bombs on slash

Sageth
New Member
‎01-23-2015 08:09 AM

Hi All -

I have some data as follows in a fixed length log file. 

13170182  1108                                  ABC1D234/EFG56789 I N R SNET0031        0 BPGTCPI1/3712  TCPIP session closed by ABC12D34 from: 10.20.30.40/56927
13170183  1108                                  ABC1D2  /EFG56789 I N R SNET0031        0 BPGTC   /3712  TCPIP session closed by ABC12D34 from: 10.20.30.40/56927

I'm trying to use the field extractor, but for some reason, it bombs out and stops working after the first slash and I've been unable to work around it. This regex works:

(?P<FIELDNAME1>\d{8})\s+(?P<FIELDNAME2>\d{4})\s+(?P<FIELDNAME3>[\w\s]{32})\s+(?P<FIELDNAME4>[\w\s]{8})\/

But as soon as I add the fifth field, there is no data sample returned from the extractor. The regex below doesn't work, but doesn't give me an error. I've tried a few variations, including adding the slash as its own separator field with a {1}, and also trying to do a fieldname4 with {9} (which works), but as soon as I try to get the next character, it stops working again. Like so:

(?P<FIELDNAME1>\d{8})\s+(?P<FIELDNAME2>\d{4})\s+(?P<FIELDNAME3>[\w\s]{32})\s+(?P<FIELDNAME4>[\w\s]{8})\/(?P<FIELDNAME5>[\w\s]{8})/s+

Any ideas on what I'm missing? Is there are character limit I'm hitting against?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aholzer
Motivator
‎01-23-2015 08:19 AM

You have the wrong "slash" on the last "/s+". it should be a backslash: \s+

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-23-2015 08:33 AM

Your second regex string does not escape the last slash. Are you sure you have the field widths correct? When I add them up, field5 does not end with a slash.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

aholzer
Motivator
‎01-23-2015 08:19 AM

You have the wrong "slash" on the last "/s+". it should be a backslash: \s+

Reply
Solved! Jump to solution

Sageth
New Member
‎01-23-2015 08:23 AM

Holy dumb. I spent 3 hours on that and never realized. It works. Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

See Splunk Platform & Observability Innovations at Cisco Live EMEA

Hi Splunkers, Learn about what’s next for Splunk Platform at Cisco Live EMEA.  Data silos are a big challenge ...

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...