- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: REGEX not picking up all results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
REGEX not picking up all results
This is the SPLUNK generated pattern - (?i)"Label\\":\\"(?P<FIELDNAME>[^\\]+)
Label is the field in the API
Fieldname is the displayed field see example below of a SPLUNK search
index=nccapi sourcetype="nccapi" | head 10000 | rex "(?i)\"Label\\\\\":\\\\\"(?P<FIELDNAME>[^\\\\]+)" | top 50 FIELDNAME
This picks up names like
Milton Keynes Portal
Mclaren Automotive
TTB
Dun and Bradstreet Limited
Sports Relief Home Page
Six nations
But it ignores:
Milton Keynes Home page
Flight Centre
Any help would be appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RAW DATA Raw data below - It contains labels for Milton Keynes Portal, Milton Keynes Home page and Flight Centre but only Milton Keynes Portal is picked up.
"{\"Version\":\"current\",\"Request\":{\"Return\":\"[Account[AccountId,Name,Pages[Page[Id,Label,TestResults[TestResult[GmtDateTime,TotalSeconds,StatusCode,TestResultDetails[ResultDetail[ConnectSeconds,DataStartSeconds]]]]]]]]]]\",\"AccountId\":\"MN4A9357\",\"StartDate\":\"2014-03-21\",\"StartTime\":\"3:21:39\",\"EndDate\":\"2014-03-21\",\"EndTime\":\"03:26:39\",\"LimitTestResults\":\"250\",\"Format\":\"JSON\"},\"Response\":{\"Status\":\"Ok\",\"Code\":200,\"Message\":\"Success.\",\"Account\":{\"AccountId\":\"MN4A9357\",\"Name\":\"Ed Rademeyer\",\"Pages\":{\"Page\":[{\"Id\":\"MN4PG15333\",\"Label\":\"Milton Keynes Portal\",\"TestResults\":{\"TestResult\":[{\"GmtDateTime\":\"2014-03-21 03:23:39\",\"TotalSeconds\":30.154,\"StatusCode\":\"2\",\"TestResultDetails\":{\"ResultDetail\":[{\"ConnectSeconds\":0.006,\"DataStartSeconds\":2.321},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.021},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.109},{\"ConnectSeconds\":0.007,\"DataStartSeconds\":0.147},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.109},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.007,\"DataStartSeconds\":0.229},{\"ConnectSeconds\":0.007,\"DataStartSeconds\":2.236},{\"ConnectSeconds\":0.006,\"DataStartSeconds\":2.229},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.079},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.182},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.186},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.109},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.109},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.187},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.201},{\"ConnectSeconds\":0.007,\"DataStartSeconds\":8.75},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.136},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.134},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.14},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.137},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.142},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.144},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.117},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.121},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.118},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.118},{\"ConnectSeconds\":0,\"DataStartSeconds\":10.409},{\"ConnectSeconds\":0,\"DataStartSeconds\":17.059},{\"ConnectSeconds\":0,\"DataStartSeconds\":17.056}]}},{\"GmtDateTime\":\"2014-03-21 03:24:14\",\"TotalSeconds\":25.426,\"StatusCode\":\"1\",\"TestResultDetails\":{\"ResultDetail\":[{\"ConnectSeconds\":0.008,\"DataStartSeconds\":23.317},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.11},{\"ConnectSeconds\":0.007,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.007,\"DataStartSeconds\":0.225},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.111},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.111},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.257},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.01},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.126},{\"ConnectSeconds\":0.007,\"DataStartSeconds\":0.009},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.121}]}}]}},{\"Id\":\"MN4PG15339\",\"Label\":\"Milton Keynes Home page\",\"TestResults\":{\"TestResult\":{\"GmtDateTime\":\"2014-03-21 03:24:45\",\"TotalSeconds\":4.853,\"StatusCode\":\"1\",\"TestResultDetails\":{\"ResultDetail\":[{\"ConnectSeconds\":0.017,\"DataStartSeconds\":0.333},{\"ConnectSeconds\":0.016,\"DataStartSeconds\":0.024},{\"ConnectSeconds\":0.016,\"DataStartSeconds\":0.123},{\"ConnectSeconds\":0.016,\"DataStartSeconds\":0.119},{\"ConnectSeconds\":0.006,\"DataStartSeconds\":0.005},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.121},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.119},{\"ConnectSeconds\":0.016,\"DataStartSeconds\":0.121},{\"ConnectSeconds\":0.017,\"DataStartSeconds\":0.126},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.018},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.019},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.023},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.118},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.022},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.12},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.119},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.12},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.121},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.017},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0.001},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.018},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.118},{\"ConnectSeconds\":0,\"DataStartSeconds\":0},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.119},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.121},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.121},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.118},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.118},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.12},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.028},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.029},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.037},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.12},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.119},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.118},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.134},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.135},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.144},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.12},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.119},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.017}]}}}},{\"Id\":\"MN4PG16239\",\"Label\":\"Flight Centre\",\"TestResults\":{\"TestResult\":{\"GmtDateTime\":\"2014-03-21 03:24:45\",\"TotalSeconds\":8.915,\"StatusCode\":\"1\",\"TestResultDetails\":{\"ResultDetail\":[{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.009,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.009,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.009,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.166},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0.024},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.009,\"DataStartSeconds\":0.01},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.006},{\"ConnectSeconds\":0.009,\"DataStartSeconds\":0.009},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.001},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.191},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0.05},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.009},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0.011},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.73},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.19},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0},{\"ConnectSeconds\":0.014,\"DataStartSeconds\":0.015},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":1.047},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.709},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.001},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.006},{\"ConnectSeconds\":0,\"DataStartSeconds\":0},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.348},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0},{\"ConnectSeconds\":0.015,\"DataStartSeconds\":0.013},{\"ConnectSeconds\":0.006,\"DataStartSeconds\":0.006},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0.165},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.001},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.006},{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.009},{\"ConnectSeconds\":0.006,\"DataStartSeconds\":0.013},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.006},{\"ConnectSeconds\":0,\"DataStartSeconds\":0},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0},{\"ConnectSeconds\":0.009,\"DataStartSeconds\":0.009},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.006},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.006},{\"ConnectSeconds\":0,\"DataStartSeconds\":0},{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.014},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.009},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0},{\"ConnectSeconds\":0,\"DataStartSeconds\":0},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0.101},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.009},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.087,\"DataStartSeconds\":0.091},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.088,\"DataStartSeconds\":0.131},{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.015,\"DataStartSeconds\":0.015}]}}}}]}}}}"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the problem might be that your rex only captures the first match (which is the default behaviour). I would suggest;
... | rex "\Label\":\"(?<myLabel>[^\"]+)" max_match=0 | ...
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nevertheless you can try this regex Label\":\"(?<myLable>(\w|\s)+) this picks up all labels from the provided data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hmm looks like JSON....have you tried the spath command on the data? This will take care of JSON key value extraction out of the box. http://docs.splunk.com/Documentation/Splunk/6.0.2/SearchReference/Spath
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
