Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field extraction regex breaks due to date change and space

ershad_c
Engager
‎05-09-2021 09:10 PM

The date field sometimes has 2 spaces and sometimes 1 space, depending on whether the date is a single digit or double digit. eg. 

May[space][space]9

vs 

May[space]10

as a result the field extraction regex finds the wrong field in the first 10 days of the month. 

sample regex that splunk comes up with  - ^(?:[^ \n]* ){9}(?P<ResponseTime>\d+)

I would have expected this to be a common enough problem but I can't seem to google the answer 😞

TIA for your assistance for this regex Newbie

 

 

Labels (2)
Labels
0 Karma
Reply

renjith_nair
Legend
‎05-09-2021 09:48 PM

Adding a '+' to your white space should fix the issue

Please find a run anywhere example and test if it works for you. If not, please provide a sample event you are trying to extract

|makeresults |eval date="May  1 2021,May  2 2021,May  3 2021,May 10 2021,May 11 2021"|makemv date delim=","| mvexpand date
|rex field=date "\w+\s+(?<Day>\d+)"
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

ershad_c
Engager
‎05-10-2021 04:21 PM

Thanks! was able to combine your solution with my data on regex101 and figure it out.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...