Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple capture groups not capturing

arielbintang
New Member
‎11-25-2023 02:02 PM

I have the following log structure:

  2023-11-25T21:18:54.244444  [  info      ]  I am a log message  request = GET /api/myendpoint    request_id = ff223452

I can capture the date and time (without the 244444 part) using:

rex field=myfield "(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})\.\d+"

and timestamp is properly captured.

But if I try to extend this and want to capture the log level as well with for example:

rex field=myfield "(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})\.\d+\s+\[\s*(?<loglevel>\w+)\s*\]\s+"

It didn't work; none of the timestamp nor the loglevel is captured.

What am I doing wrong?

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-25-2023 02:52 PM

You don't appear to be doing anything wrong, given the example you have shared.

| makeresults
| eval _raw="2023-11-25T21:18:54.244444  [  info      ]  I am a log message  request = GET /api/myendpoint    request_id = ff223452"
| rex "(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})\.\d+\s+\[\s*(?<loglevel>\w+)\s*\]\s+"
0 Karma
Reply

arielbintang
New Member
‎11-26-2023 01:10 AM

Thanks for verifying! When I copy paste my log directly to the search box from the log message field and used your makeresults, I see that actually some of the spaces are actually  character; do you know why perhaps its not shown in the results itself (and I have to copy paste)?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-26-2023 03:31 AM

Assuming that the non-word characters are in the square brackets, you could try something like this

| makeresults
| eval _raw="2023-11-25T21:18:54.244444  [  info      ]  I am a log message  request = GET /api/myendpoint    request_id = ff223452"
| rex "(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})\.\d+\s+\[\W*(?<loglevel>\w+)\W*\]\s+"

but, ideally, you should ask the developers of the application to not use these characters in the first place.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...