Re: Query regarding splunk field extraction

p_basanth · ‎03-19-2013

Using the below regex I was able to extract first7 fields
Need to extract the last 3 fields
How to skip the blank <> <> tags and continue?

Sample Event:

####(DateTime) (Info) (Health) (host.domain.name) (component1) (component2) ((anonymous)) () () (1363678659879) (BEA-310002) (54% of the total memory in the server is free)

The original event has angular braces <> as the field delimiter above. Due to browser compatibility i have changed them to normal braces()

Regex working fine (first 7 fields):

####<(?P< F1>[^>]+)> \s+<(?P[^>]+)>\s+<(?P[^>]+)>\s+<(?P[^.]+)[^<\n]<(?P[^>]+)>\s+<(?P[^>]+)>\s+<(?P[^>]+>)>

Below regex not working (after 7th field):

####<(?P< FIELDNAME1>[^>]+)> \s+<(?P[^>]+)>\s+<(?P[^>]+)>\s+<(?P[^.]+)[^<\n]<(?P[^>]+)>\s+<(?P[^>]+)>\s+<(?P[^>]+>)>[^>\n]>\s[^>\n]>\s+<(?P[^>]+)>\s+<(?P[^>]+)>\s+<(?P[^>]+)>

datasearchninja · ‎03-19-2013

You need to change the '+' to a '*' in any field that can be empty.

e.g:
[^>]+ must match at least one character that is not '>'
[^>]* can match no characters

p_basanth · ‎03-19-2013

Figured out the issue. The field before empty has 2 angular braces <>. Now working fine. Thanks for the pointer.

p_basanth · ‎03-19-2013

No luck !! Tried '*' in the place of '+'. Not able to locate 3rd last field

p_basanth · ‎03-19-2013

Original sample Event:

 ####      <> <> <> <1363678659879>  <54% of the total memory in the server is free>

Query regarding splunk field extraction

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Query regarding splunk field extraction

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability