Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex not working on splunk for the expression which works well on regex 101

Shariq
Explorer
‎10-28-2021 12:57 PM

i have data as below :

 

 

Request-all-Headers = Accept - */* Authorization - Bearer m6CsheaxrlMKIBH3vZ0EXk5G3rw6 Content-Type - application/json Host - api.ingrammicro.com IM-CorrelationID - 213.45245849 IM-CountryCode - TN IM-CustomerNumber - 44-999999 IM-SenderID - Global Reward Solutions simulateStatus - IM::SHIPPED X-Forwarded-For - 10.0.0.0X-Forwarded-Port - 123 X-Forwarded-Proto - https 

 

and working rex below from regex 101  :

 

IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})\s+IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})

 

now when I tried the same with splunk. splunk is not able to extract the fields . my splunk query is below :

index=test sourcetype="test"
| rex field=Request-all-Headers "IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})"
| rex field=Request-all-Headers "IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})"

Labels (2)
Labels
0 Karma
Reply

Shariq
Explorer
‎10-28-2021 02:05 PM

i even tried changing the variable name but no luck

0 Karma
Reply

jbanAtSplunk
Communicator
‎10-28-2021 02:11 PM

Have you tried on _raw filed?
like
rex field=_raw "your_regex"

0 Karma
Reply

Shariq
Explorer
‎10-28-2021 02:20 PM

i did not try _raw earlier but when I did just now,it worked. but still, I am not clear why request-all-header is not working since I can see that this field is getting extracted properly without any rex.

0 Karma
Reply

Shariq
Explorer
‎10-28-2021 02:00 PM

No , it is still not working in Splunk with real event. i can see the events but the query is not doing anything the make result is something I tried in all ways and it works with make result but not with the query with original event.

 

| makeresults | eval Request-all-Headers="Accept - */* Authorization - Bearer m6CsheaxrlMKIBH3vZ0EXk5G3rw6 Content-Type - application/json Host - api.ingrammicro.com IM-CorrelationID - 213.45245849 IM-CountryCode - TN IM-CustomerNumber - 44-999999 IM-SenderID - Global Reward Solutions simulateStatus - IM::SHIPPED X-Forwarded-For - 10.0.0.0X-Forwarded-Port - 123 X-Forwarded-Proto - https" | rex field=Request-all-Headers "IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})"
| rex field=Request-all-Headers "IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})" | table Request-all-Headers country custno

0 Karma
Reply

jbanAtSplunk
Communicator
‎10-28-2021 01:34 PM

Hi, can you try your original search?

| makeresults | eval Request-all-Headers="Accept - */* Authorization - Bearer m6CsheaxrlMKIBH3vZ0EXk5G3rw6 Content-Type - application/json Host - api.ingrammicro.com IM-CorrelationID - 213.45245849 IM-CountryCode - TN IM-CustomerNumber - 44-999999 IM-SenderID - Global Reward Solutions simulateStatus - IM::SHIPPED X-Forwarded-For - 10.0.0.0X-Forwarded-Port - 123 X-Forwarded-Proto - https" | rex field=Request-all-Headers "IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})\s+IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})" | table Request-all-Headers country custno

jbanAtSplunk_0-1635453233619.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-29-2021 05:01 AM

Try putting the field name in single quotes in the rex command

0 Karma
Reply

Shariq
Explorer
‎10-29-2021 01:48 PM

single quote did not worked

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...