Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I extract a field with a '.' (period character)?

throstur
Engager
‎09-21-2017 01:21 AM

It seems that there is no way to extract fields with a '.' in the name.

I'm trying to use field extractors on our older data to create fields matching the newer data json fields.

{ "pirate": { "say ": "Shiver me timbers" } } 
pirate.say = "Shiver me timbers"

To test this you can to do is something like this:

| metadata type=hosts index=_internal 
| head 1
| eval message="Shiver me timbers, goes the pirate"
| table message
| rex field=message "(?<pirate.say>[^,]+)"

But all I get for my efforts is the same error message in both the 'rex' prototype described above and 'Field extractions' page.

From the 'rex' prototype I get:

Error in 'rex' command: Encountered the following error while compiling the regex '(?<pirate.say>[^,]+)': Regex: syntax error in subpattern name (missing terminator)

From the 'Fields » Field extractions » Add new' I get:

Encountered the following error while trying to save: Regex: syntax error in subpattern name (missing terminator)

So any thoughts on how I can solve this one?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎09-21-2017 08:23 AM

PCRE regular expressions do not permit a period in capture group names by the definition of the names. If you want to separate the words, you must use an underscore. Therefore you could use pirate_say, but not pirate.say or even pirate-say. You may only use A-Z, a-z, 0-9 and _ in capture group names.

View solution in original post

Reply
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎09-21-2017 08:23 AM

PCRE regular expressions do not permit a period in capture group names by the definition of the names. If you want to separate the words, you must use an underscore. Therefore you could use pirate_say, but not pirate.say or even pirate-say. You may only use A-Z, a-z, 0-9 and _ in capture group names.

Reply
Solved! Jump to solution

throstur
Engager
‎09-21-2017 08:45 AM

Yes, I suspected as much.

Was hoping that there was a workaround for Splunk as they support field names with other characters.

The workaround I'm currently using is renaming pirate_say to pirate.say if pirate.say does not already exists.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-21-2017 01:40 AM

Hi throstur,
beware that the search command

| rex field=message "(?<pirate_say>[^,]+)"

when is in a dashboard must be traslated in 

| rex field=message "(?<pirate_say>[^,]+)"

you missed ; in &lt and &gt
Bye.
Giuseppe

Reply
Solved! Jump to solution

throstur
Engager
‎09-21-2017 01:50 AM

Thanks. 😄

0 Karma
Reply
Solved! Jump to solution

throstur
Engager
‎09-21-2017 02:16 AM

Fixed it now

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-21-2017 02:09 AM

if this solution answers to your question, please accept ot upvote it.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

throstur
Engager
‎09-21-2017 05:29 AM

No this does'nt answer my question at all.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...