Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple capture groups not capturing

arielbintang
New Member
‎11-25-2023 02:02 PM

I have the following log structure:

  2023-11-25T21:18:54.244444  [  info      ]  I am a log message  request = GET /api/myendpoint    request_id = ff223452

I can capture the date and time (without the 244444 part) using:

rex field=myfield "(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})\.\d+"

and timestamp is properly captured.

But if I try to extend this and want to capture the log level as well with for example:

rex field=myfield "(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})\.\d+\s+\[\s*(?<loglevel>\w+)\s*\]\s+"

It didn't work; none of the timestamp nor the loglevel is captured.

What am I doing wrong?

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-25-2023 02:52 PM

You don't appear to be doing anything wrong, given the example you have shared.

| makeresults
| eval _raw="2023-11-25T21:18:54.244444  [  info      ]  I am a log message  request = GET /api/myendpoint    request_id = ff223452"
| rex "(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})\.\d+\s+\[\s*(?<loglevel>\w+)\s*\]\s+"
0 Karma
Reply

arielbintang
New Member
‎11-26-2023 01:10 AM

Thanks for verifying! When I copy paste my log directly to the search box from the log message field and used your makeresults, I see that actually some of the spaces are actually  character; do you know why perhaps its not shown in the results itself (and I have to copy paste)?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-26-2023 03:31 AM

Assuming that the non-word characters are in the square brackets, you could try something like this

| makeresults
| eval _raw="2023-11-25T21:18:54.244444  [  info      ]  I am a log message  request = GET /api/myendpoint    request_id = ff223452"
| rex "(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})\.\d+\s+\[\W*(?<loglevel>\w+)\W*\]\s+"

but, ideally, you should ask the developers of the application to not use these characters in the first place.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...