Why does Field extraction requires trim?

JarrettM · ‎01-30-2018

My iis data has a field name cs_uri_query, for example:

Cmd=Sync&User=XYZ%5Cjqpublic%40xyz.com&DeviceId=SEC539D6F312D5B3&DeviceType=SMG930V

Thusernameme is embedded in this field and I use the following regex to extract a new field called user_name:

^[^%]*%\d\w(?P\w+)

The new field is extracted properly and shows as:

user_name  = jqpublic

However, if I do a specific search like:

index=iis host=server1 user_name=jqpublic

I get no results.

Only if I trim the field, or use a wildcard, are results returned:

index=iis | eval user_name=trim(user_name) | search user_name=jqpublic

Any thoughts why trim is required here?

Thanks!

JarrettM · ‎01-30-2018

Yes that works, as does creating a calculated field that trims the extracted field. But what I want to know is why any of this is necessary. Why doesn't the original extraction work correctly?

Thanks!

493669 · ‎01-30-2018

not sure which regex expression you are using...
It seems your extracted user_name field contains spaces so you need to trim...

493669 · ‎01-30-2018

Hey have you tried this:

index=iis|rex "^[^%]*%\d\w(?P<user_name>\w+)"|search user_name="jqpublic"

Why does Field extraction requires trim?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk