Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex not extracting fields with spaces between fields

ssaenger
Communicator
‎07-15-2015 01:35 AM

Hi,

i am again struggling with regex.
I have the following lines in a log file, some of the text is constantly in the log file so i thought that i would be able to keep it, i think my issue is with the gaps between the text, i am using /s+ to cope with whitespaces and possible tabs. I would like to extract the alpha-numeric strings.

2015/07/14 14:06:27.572 [Logger] [qtp1455736317-371]:  INFO: [55a51763e4b0a933] PC Response: RequestId: 150316 User-Id: 04-7FFABFFF-00809F1D RequestType: Open

and i have tried to write the regex

(?<date_time>\d{4}\.\d{2}\.\d{2}\s\d{2}:\d{2}:\d{2}\.\d{3})\s+[Logger]\s+(?<transaction_id>[^;]+)\s+INFO:\s+(?<info>[^;]+)\s+PC\s+Response:\s+RequestId:\s+(?<request_id>[^;]+)\s+ User-Id:\s+(?<user_id>[^;]+)\s+RequestType:\s+Open

none of the fields are picked up, i do not know if its because there are : in the text and they need to be escaped..

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎07-15-2015 01:59 AM

This should work:

(?<date_time>\d{2}(?:\d{2}.)*\d{3})\s\[Logger\]\s\[(?<transaction_id>[^\]]+)\]\:\s+INFO\:\s+\[(?<info>[^\]]+)\]\s+PC\sResponse\:\s+RequestId\:\s+(?<request_id>[\S]+)\sUser\-Id\:\s+(?<user_id>[\S]+)\s+RequestType\:\s+Open

Some generally good ideas: Use tools to help you out, such as regex101.com - with their help, you don't need to poke around blindfolded and regular expressions become a fun thing. Furthermore, always escape special characters. Even if the tools may work without an escaped :, splunk is quite strict with that. Lastly, in your capturing groups you used

[^;]

to capure digits and other characters - I'd recommend you always use a negation of what comes before the next field, which is why I used \S for those fields that are separated by a whitespace and

[^\]]

for those fields which were in square brackets. If you want to have the square brackets in your fields, then simply change those parts so that they also use the above method.

View solution in original post

Reply
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎07-15-2015 01:59 AM

This should work:

(?<date_time>\d{2}(?:\d{2}.)*\d{3})\s\[Logger\]\s\[(?<transaction_id>[^\]]+)\]\:\s+INFO\:\s+\[(?<info>[^\]]+)\]\s+PC\sResponse\:\s+RequestId\:\s+(?<request_id>[\S]+)\sUser\-Id\:\s+(?<user_id>[\S]+)\s+RequestType\:\s+Open

Some generally good ideas: Use tools to help you out, such as regex101.com - with their help, you don't need to poke around blindfolded and regular expressions become a fun thing. Furthermore, always escape special characters. Even if the tools may work without an escaped :, splunk is quite strict with that. Lastly, in your capturing groups you used

[^;]

to capure digits and other characters - I'd recommend you always use a negation of what comes before the next field, which is why I used \S for those fields that are separated by a whitespace and

[^\]]

for those fields which were in square brackets. If you want to have the square brackets in your fields, then simply change those parts so that they also use the above method.

Reply
Solved! Jump to solution

ssaenger
Communicator
‎07-15-2015 04:07 AM

works a treat, thanks jeffland

0 Karma
Reply
Solved! Jump to solution

sduff_splunk
Splunk Employee
Splunk Employee
‎07-15-2015 01:53 AM 
(?<date_time>\d{4}/\d{2}/\d{2}\s\d{2}:\d{2}:\d{2}\.\d{3})\s+[Logger]\s+(?<transaction_id>[^;]+)\s+INFO:\s+(?<info>[^;]+)\s+PC\s+Response:\s+RequestId:\s+(?<request_id>[^;]+)\s+User-Id:\s+(?<user_id>[^;]+)\s+RequestType:\s+Open

Your date_time has (slash). which matches only a dot, while your event has /. You also have a space before User-Id, while the \s+ means that there must be a second white space character there.

I think you got all the other s+ correct. I'm not sure why you are matching everything except sem-colons ([^;]) but it should still work.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...