Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Query regarding splunk field extraction

p_basanth
New Member
‎03-19-2013 09:06 PM

Using the below regex I was able to extract first7 fields
Need to extract the last 3 fields
How to skip the blank <> <> tags and continue?

Sample Event:

####(DateTime) (Info) (Health) (host.domain.name) (component1) (component2) ((anonymous)) () () (1363678659879) (BEA-310002) (54% of the total memory in the server is free)

The original event has angular braces <> as the field delimiter above. Due to browser compatibility i have changed them to normal braces()

Regex working fine (first 7 fields):
####<(?P< F1>[^>]+)> \s+<(?P[^>]+)>\s+<(?P[^>]+)>\s+<(?P[^.]+)[^<\n]<(?P[^>]+)>\s+<(?P[^>]+)>\s+<(?P[^>]+>)>


Below regex not working (after 7th field):
####<(?P< FIELDNAME1>[^>]+)> \s+<(?P[^>]+)>\s+<(?P[^>]+)>\s+<(?P[^.]+)[^<\n]<(?P[^>]+)>\s+<(?P[^>]+)>\s+<(?P[^>]+>)>[^>\n]>\s[^>\n]>\s+<(?P[^>]+)>\s+<(?P[^>]+)>\s+<(?P[^>]+)>

Tags (2)
0 Karma
Reply

datasearchninja
Communicator
‎03-19-2013 09:16 PM

You need to change the '+' to a '*' in any field that can be empty.

e.g:
[^>]+ must match at least one character that is not '>'
[^>]* can match no characters

0 Karma
Reply

p_basanth
New Member
‎03-19-2013 09:55 PM

Figured out the issue. The field before empty has 2 angular braces <>. Now working fine. Thanks for the pointer.

0 Karma
Reply

p_basanth
New Member
‎03-19-2013 09:34 PM

No luck !! Tried '*' in the place of '+'. Not able to locate 3rd last field

0 Karma
Reply

p_basanth
New Member
‎03-19-2013 09:07 PM

Original sample Event: 

 ####      <> <> <> <1363678659879>  <54% of the total memory in the server is free>

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...