Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Generated pattern (regex)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to extract both of the words, is there anyone that knows how ? I have used this
(?i)summary : (?P<FIELDNAME>[\w\.]+)
but it extracts only the word Mostly.
summary : Mostly Cloudy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this expression and it work. Btw thanks for your help ! 😃
(?i)Summary : (?P
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this expression and it work. Btw thanks for your help ! 😃
(?i)Summary : (?P
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(?<field_name>\S+)\s+:\s+(?<field_value>.+)
Be careful about the cases of 's', because '\s' has a different meaning than '\S'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
see my comments down, I cannot post codes in here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well thats quite a different usecase, thanI would have guessed from your initial question. I updated my answer to extract the field_name ("summary") and the field_value ("Mostly Cloudy") seperatly.
But maybe you also want to take a look at handling multiline events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using 5.0.2. Btw it worked but my data is inputed this way(below), it extracts this
FIELDNAME
Mostly Cloudy
temperature
Foggy
temperature
lastword
temperature
(Splunk reads my data every 5 minutes)
time : 1371715104
visibility : 0.67
windBearing : 260
windSpeed : 9.41
psiAverage : 182
cloudCover : 0.61
dewPoint : 65.58
humidity : 0.39
icon : fog
ozone : 267.04
precipIntensity : 0
pressure : 1005.64
summary : Foggy
temperature : 94.49
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now I changed it, so the inner caption group is named as well, even if it is not needed on my test instance (5.0.1).
kailun, which splunk version do you use?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Invalid regex: no named extraction at position 27 (i.e., ">([\w.]+..."). Expected "(?P
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The questionmark in the inner caption group was producing a problem, I edited my answer to my tested solution.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
