Field extraction regex breaks due to date change a...

ershad_c · ‎05-09-2021

The date field sometimes has 2 spaces and sometimes 1 space, depending on whether the date is a single digit or double digit. eg.

May[space][space]9

vs

May[space]10

as a result the field extraction regex finds the wrong field in the first 10 days of the month.

sample regex that splunk comes up with - ^(?:[^ \n]* ){9}(?P<ResponseTime>\d+)

I would have expected this to be a common enough problem but I can't seem to google the answer 😞

TIA for your assistance for this regex Newbie

renjith_nair · ‎05-09-2021

Adding a '+' to your white space should fix the issue

Please find a run anywhere example and test if it works for you. If not, please provide a sample event you are trying to extract

|makeresults |eval date="May  1 2021,May  2 2021,May  3 2021,May 10 2021,May 11 2021"|makemv date delim=","| mvexpand date
|rex field=date "\w+\s+(?<Day>\d+)"

---
What goes around comes around. If it helps, hit it with Karma 🙂

ershad_c · ‎05-10-2021

Thanks! was able to combine your solution with my data on regex101 and figure it out.

Field extraction regex breaks due to date change and space

field extraction

regex

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Are you a member of the Splunk Community?