Splunk Search

REGEX not picking up all results

edrad80
New Member

This is the SPLUNK generated pattern - (?i)"Label\\":\\"(?P<FIELDNAME>[^\\]+)

Label is the field in the API
Fieldname is the displayed field see example below of a SPLUNK search

index=nccapi sourcetype="nccapi" | head 10000 | rex "(?i)\"Label\\\\\":\\\\\"(?P<FIELDNAME>[^\\\\]+)" | top 50 FIELDNAME

This picks up names like
Milton Keynes Portal
Mclaren Automotive
TTB
Dun and Bradstreet Limited
Sports Relief Home Page
Six nations

But it ignores:
Milton Keynes Home page
Flight Centre

Any help would be appreciated

Tags (1)
0 Karma

edrad80
New Member

RAW DATA Raw data below - It contains labels for Milton Keynes Portal, Milton Keynes Home page and Flight Centre but only Milton Keynes Portal is picked up.

"{\"Version\":\"current\",\"Request\":{\"Return\":\"[Account[AccountId,Name,Pages[Page[Id,Label,TestResults[TestResult[GmtDateTime,TotalSeconds,StatusCode,TestResultDetails[ResultDetail[ConnectSeconds,DataStartSeconds]]]]]]]]]]\",\"AccountId\":\"MN4A9357\",\"StartDate\":\"2014-03-21\",\"StartTime\":\"3:21:39\",\"EndDate\":\"2014-03-21\",\"EndTime\":\"03:26:39\",\"LimitTestResults\":\"250\",\"Format\":\"JSON\"},\"Response\":{\"Status\":\"Ok\",\"Code\":200,\"Message\":\"Success.\",\"Account\":{\"AccountId\":\"MN4A9357\",\"Name\":\"Ed Rademeyer\",\"Pages\":{\"Page\":[{\"Id\":\"MN4PG15333\",\"Label\":\"Milton Keynes Portal\",\"TestResults\":{\"TestResult\":[{\"GmtDateTime\":\"2014-03-21 03:23:39\",\"TotalSeconds\":30.154,\"StatusCode\":\"2\",\"TestResultDetails\":{\"ResultDetail\":[{\"ConnectSeconds\":0.006,\"DataStartSeconds\":2.321},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.021},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.109},{\"ConnectSeconds\":0.007,\"DataStartSeconds\":0.147},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.109},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.007,\"DataStartSeconds\":0.229},{\"ConnectSeconds\":0.007,\"DataStartSeconds\":2.236},{\"ConnectSeconds\":0.006,\"DataStartSeconds\":2.229},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.079},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.182},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.186},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.109},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.109},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.187},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.201},{\"ConnectSeconds\":0.007,\"DataStartSeconds\":8.75},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.136},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.134},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.14},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.137},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.142},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.144},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.117},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.121},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.118},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.118},{\"ConnectSeconds\":0,\"DataStartSeconds\":10.409},{\"ConnectSeconds\":0,\"DataStartSeconds\":17.059},{\"ConnectSeconds\":0,\"DataStartSeconds\":17.056}]}},{\"GmtDateTime\":\"2014-03-21 03:24:14\",\"TotalSeconds\":25.426,\"StatusCode\":\"1\",\"TestResultDetails\":{\"ResultDetail\":[{\"ConnectSeconds\":0.008,\"DataStartSeconds\":23.317},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.11},{\"ConnectSeconds\":0.007,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.007,\"DataStartSeconds\":0.225},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.111},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.111},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.257},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.01},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.126},{\"ConnectSeconds\":0.007,\"DataStartSeconds\":0.009},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.121}]}}]}},{\"Id\":\"MN4PG15339\",\"Label\":\"Milton Keynes Home page\",\"TestResults\":{\"TestResult\":{\"GmtDateTime\":\"2014-03-21 03:24:45\",\"TotalSeconds\":4.853,\"StatusCode\":\"1\",\"TestResultDetails\":{\"ResultDetail\":[{\"ConnectSeconds\":0.017,\"DataStartSeconds\":0.333},{\"ConnectSeconds\":0.016,\"DataStartSeconds\":0.024},{\"ConnectSeconds\":0.016,\"DataStartSeconds\":0.123},{\"ConnectSeconds\":0.016,\"DataStartSeconds\":0.119},{\"ConnectSeconds\":0.006,\"DataStartSeconds\":0.005},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.121},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.119},{\"ConnectSeconds\":0.016,\"DataStartSeconds\":0.121},{\"ConnectSeconds\":0.017,\"DataStartSeconds\":0.126},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.018},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.019},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.023},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.118},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.022},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.12},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.119},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.12},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.121},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.017},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0.001},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.018},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.118},{\"ConnectSeconds\":0,\"DataStartSeconds\":0},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.119},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.121},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.121},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.118},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.118},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.12},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.028},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.029},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.037},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.12},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.119},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.118},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.134},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.135},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.144},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.12},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.119},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.017}]}}}},{\"Id\":\"MN4PG16239\",\"Label\":\"Flight Centre\",\"TestResults\":{\"TestResult\":{\"GmtDateTime\":\"2014-03-21 03:24:45\",\"TotalSeconds\":8.915,\"StatusCode\":\"1\",\"TestResultDetails\":{\"ResultDetail\":[{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.009,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.009,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.009,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.166},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0.024},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.009,\"DataStartSeconds\":0.01},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.006},{\"ConnectSeconds\":0.009,\"DataStartSeconds\":0.009},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.001},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.191},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0.05},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.009},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0.011},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.73},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.19},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0},{\"ConnectSeconds\":0.014,\"DataStartSeconds\":0.015},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":1.047},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.709},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.001},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.006},{\"ConnectSeconds\":0,\"DataStartSeconds\":0},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.348},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0},{\"ConnectSeconds\":0.015,\"DataStartSeconds\":0.013},{\"ConnectSeconds\":0.006,\"DataStartSeconds\":0.006},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0.165},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.001},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.006},{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.009},{\"ConnectSeconds\":0.006,\"DataStartSeconds\":0.013},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.006},{\"ConnectSeconds\":0,\"DataStartSeconds\":0},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0},{\"ConnectSeconds\":0.009,\"DataStartSeconds\":0.009},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.006},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.006},{\"ConnectSeconds\":0,\"DataStartSeconds\":0},{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.014},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.009},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0},{\"ConnectSeconds\":0,\"DataStartSeconds\":0},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0},{\"ConnectSeconds\":0.001,\"DataStartSeconds\":0.101},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.009},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.087,\"DataStartSeconds\":0.091},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0,\"DataStartSeconds\":0.008},{\"ConnectSeconds\":0.088,\"DataStartSeconds\":0.131},{\"ConnectSeconds\":0.008,\"DataStartSeconds\":0.007},{\"ConnectSeconds\":0.015,\"DataStartSeconds\":0.015}]}}}}]}}}}"

0 Karma

kristian_kolb
Ultra Champion

I think the problem might be that your rex only captures the first match (which is the default behaviour). I would suggest;

... | rex "\Label\":\"(?<myLabel>[^\"]+)" max_match=0 | ...

/k

0 Karma

MuS
SplunkTrust
SplunkTrust

nevertheless you can try this regex Label\":\"(?<myLable>(\w|\s)+) this picks up all labels from the provided data.

0 Karma

MuS
SplunkTrust
SplunkTrust

hmm looks like JSON....have you tried the spath command on the data? This will take care of JSON key value extraction out of the box. http://docs.splunk.com/Documentation/Splunk/6.0.2/SearchReference/Spath

Get Updates on the Splunk Community!

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...