Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field extraction regex breaks due to date change and space

ershad_c
Engager
‎05-09-2021 09:10 PM

The date field sometimes has 2 spaces and sometimes 1 space, depending on whether the date is a single digit or double digit. eg. 

May[space][space]9

vs 

May[space]10

as a result the field extraction regex finds the wrong field in the first 10 days of the month. 

sample regex that splunk comes up with  - ^(?:[^ \n]* ){9}(?P<ResponseTime>\d+)

I would have expected this to be a common enough problem but I can't seem to google the answer 😞

TIA for your assistance for this regex Newbie

 

 

Labels (2)
Labels
0 Karma
Reply

renjith_nair
Legend
‎05-09-2021 09:48 PM

Adding a '+' to your white space should fix the issue

Please find a run anywhere example and test if it works for you. If not, please provide a sample event you are trying to extract

|makeresults |eval date="May  1 2021,May  2 2021,May  3 2021,May 10 2021,May 11 2021"|makemv date delim=","| mvexpand date
|rex field=date "\w+\s+(?<Day>\d+)"
Happy Splunking!
Reply

ershad_c
Engager
‎05-10-2021 04:21 PM

Thanks! was able to combine your solution with my data on regex101 and figure it out.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...