Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Matching Two Strings in Field Extraction
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kederart
Explorer
01-11-2013
06:44 AM
I am trying to match two separate strings for one field extraction. When setup separately they would look like...
(?i)^[^*#\d+\s+(?P< a >[^]+)
and
(?i)^(?:[^\-]*\i{2}\d+\s+(?P< b >[^]+)
I combined them by simply placing a pipe in between the two strings. The problem is Splunk will only pick up whichever value has a, and the b value will be lost. I can switch a and b and the values picked up will switch, but I cannot get the combination of both. I also cannot name both a as that is against Splunk conventions. Is this possible to accomplish? What am I missing here? Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jameshgibson
Path Finder
01-11-2013
09:30 AM
can you not change the regex to:
(?i)^([^*#]\d+\s+|(?:)[^\-]*\i{2}\d+\s+)(?P<a>[^]+)
this should match (?P<a>[^]+) when preceded by either (?i)^[^*#]\d+\s+ or (?i)^(?:)[^\-]*\i{2}\d+\s+
that is assuming you are missing a closing [ and ) in the expressions in your question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
01-11-2013
10:54 AM
Fair enough, but I think the easiest thing still would be to have multiple field extractions - you can still use the same field name for your extraction, it's just different ways of arriving at the extracted field. So you wouldn't have to mess with name1, name2 etc, you can just extract everything to name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jameshgibson
Path Finder
01-11-2013
09:30 AM
can you not change the regex to:
(?i)^([^*#]\d+\s+|(?:)[^\-]*\i{2}\d+\s+)(?P<a>[^]+)
this should match (?P<a>[^]+) when preceded by either (?i)^[^*#]\d+\s+ or (?i)^(?:)[^\-]*\i{2}\d+\s+
that is assuming you are missing a closing [ and ) in the expressions in your question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kederart
Explorer
01-11-2013
08:10 AM
Sorry for the confusion. We want to search for a name (example a), however the name isn't always coming up as other names are being formatted in the second way (example b). We want a way to search for all the names without having multiple field extractions. I thought we could do that by piping the two searches together. We don't want to have name1, name2, name3 for field extractions because it's going to become cluttered and a little difficult to manage. Does that make more sense?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
01-11-2013
07:58 AM
I'm not sure I follow. Why would you need multiple searches to perform multiple field extractions? There are usually loads of field extractions taking place for each event in a search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kederart
Explorer
01-11-2013
07:53 AM
We have a dozen or so logs and we are doing multiple field extractions for each log. If we keep doing multiple field extraction for "a" then we are going to be cluttered with 6-10 searches per log. Our goal is to cut down on the clutter.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
01-11-2013
07:29 AM
Why not have two field extractions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kederart
Explorer
01-11-2013
06:54 AM
The only solution I've found so far is adding a second field extraction that both search on a. However, we have multiple logs and this could get cluttered when we start adding more searches. Would prefer to keep it as one search.
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
