Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Regex not extracting fields with spaces between fields

ssaenger
Communicator
‎07-15-2015 01:35 AM

Hi,

i am again struggling with regex.
I have the following lines in a log file, some of the text is constantly in the log file so i thought that i would be able to keep it, i think my issue is with the gaps between the text, i am using /s+ to cope with whitespaces and possible tabs. I would like to extract the alpha-numeric strings.

2015/07/14 14:06:27.572 [Logger] [qtp1455736317-371]:  INFO: [55a51763e4b0a933] PC Response: RequestId: 150316 User-Id: 04-7FFABFFF-00809F1D RequestType: Open

and i have tried to write the regex

(?<date_time>\d{4}\.\d{2}\.\d{2}\s\d{2}:\d{2}:\d{2}\.\d{3})\s+[Logger]\s+(?<transaction_id>[^;]+)\s+INFO:\s+(?<info>[^;]+)\s+PC\s+Response:\s+RequestId:\s+(?<request_id>[^;]+)\s+ User-Id:\s+(?<user_id>[^;]+)\s+RequestType:\s+Open

none of the fields are picked up, i do not know if its because there are : in the text and they need to be escaped..

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎07-15-2015 01:59 AM

This should work:

(?<date_time>\d{2}(?:\d{2}.)*\d{3})\s\[Logger\]\s\[(?<transaction_id>[^\]]+)\]\:\s+INFO\:\s+\[(?<info>[^\]]+)\]\s+PC\sResponse\:\s+RequestId\:\s+(?<request_id>[\S]+)\sUser\-Id\:\s+(?<user_id>[\S]+)\s+RequestType\:\s+Open

Some generally good ideas: Use tools to help you out, such as regex101.com - with their help, you don't need to poke around blindfolded and regular expressions become a fun thing. Furthermore, always escape special characters. Even if the tools may work without an escaped :, splunk is quite strict with that. Lastly, in your capturing groups you used

[^;]

to capure digits and other characters - I'd recommend you always use a negation of what comes before the next field, which is why I used \S for those fields that are separated by a whitespace and

[^\]]

for those fields which were in square brackets. If you want to have the square brackets in your fields, then simply change those parts so that they also use the above method.

View solution in original post

Reply
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎07-15-2015 01:59 AM

This should work:

(?<date_time>\d{2}(?:\d{2}.)*\d{3})\s\[Logger\]\s\[(?<transaction_id>[^\]]+)\]\:\s+INFO\:\s+\[(?<info>[^\]]+)\]\s+PC\sResponse\:\s+RequestId\:\s+(?<request_id>[\S]+)\sUser\-Id\:\s+(?<user_id>[\S]+)\s+RequestType\:\s+Open

Some generally good ideas: Use tools to help you out, such as regex101.com - with their help, you don't need to poke around blindfolded and regular expressions become a fun thing. Furthermore, always escape special characters. Even if the tools may work without an escaped :, splunk is quite strict with that. Lastly, in your capturing groups you used

[^;]

to capure digits and other characters - I'd recommend you always use a negation of what comes before the next field, which is why I used \S for those fields that are separated by a whitespace and

[^\]]

for those fields which were in square brackets. If you want to have the square brackets in your fields, then simply change those parts so that they also use the above method.

Reply
Solved! Jump to solution

ssaenger
Communicator
‎07-15-2015 04:07 AM

works a treat, thanks jeffland

0 Karma
Reply
Solved! Jump to solution

sduff_splunk
Splunk Employee
Splunk Employee
‎07-15-2015 01:53 AM 
(?<date_time>\d{4}/\d{2}/\d{2}\s\d{2}:\d{2}:\d{2}\.\d{3})\s+[Logger]\s+(?<transaction_id>[^;]+)\s+INFO:\s+(?<info>[^;]+)\s+PC\s+Response:\s+RequestId:\s+(?<request_id>[^;]+)\s+User-Id:\s+(?<user_id>[^;]+)\s+RequestType:\s+Open

Your date_time has (slash). which matches only a dot, while your event has /. You also have a space before User-Id, while the \s+ means that there must be a second white space character there.

I think you got all the other s+ correct. I'm not sure why you are matching everything except sem-colons ([^;]) but it should still work.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...