Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

REGEX extract field at certain position

tjohnson341
Explorer
‎03-23-2015 09:51 AM

I am attempting to extract fields from a file which was created to be human readable, so it has fields aligned at certain column numbers throughout. I wrote a regular expression to get a digit character at a specific column number and extract that to the lvl field. The actual expression is

(?<=^.{54})([0-9])

This expression works without the field specification in Notepad++ for a search within the file that I'm trying to extract fields from in Splunk, but it doesn't find any suitable field values when used in the rex command or in Field Extraction. I figured this was a difference in syntax for PCRE regexes, or that there is a multiline specification that I'm missing. Adding a \m to the regex did not seem to do the trick.

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-23-2015 11:02 AM

This worked for me in regex101.com using your sample input.

"(?mg)^.{55}(?<lvl>[0-9])"

I've abandoned the field extractor as it seems to rarely work well for me.

---
If this reply helps you, Karma would be appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-23-2015 09:57 AM

Try testing your expressions at https://www.regex101.com/. It supports PCRE expressions.
If you post a sample of your input here someone may be able to spot where you've made an error.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

tjohnson341
Explorer
‎03-23-2015 10:13 AM 
SSN         Emplid  Employee Name                     Lvl   Field Name                       Field Value                      Err#   Error Description                                                                  Resp   Position

xxxxxxxxx   xxxxxx  Testy, Tester A                   2     Organization                     testval                          0086   Organization is blank or invalid                                                   L      testval                       
xxxxxxxxx   xxxxxx  Testname, Test                    2     Organization                     testval                          0086   Organization is blank or invalid                                                   L      testval                       
xxxxxxxxx   xxxxxx  Testerman, Testly                 2     Organization                     testval                          0086   Organization is blank or invalid                                                   L      testval

Here is the input sample I used, and the exact expression the tester used is 

/(?<=^.{54})([0-9])/mg

Now I added the global modifier - the /g, and it did find all of the field values I was expecting. This regex still is not working in the Field Extractor or with the rex command, when I input it exactly as shown above.

0 Karma
Reply

tjohnson341
Explorer
‎03-23-2015 10:16 AM

Sorry - note the version I'm using in Splunk is

/(?<lvl><=^.{54})([0-9])/mg

to specify that I want the result to be put in the lvl field.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...