Re: Why is a field extracted with rex always empty...

deborahdigges · ‎01-07-2016

I have two log statements:

daily.cron run at startTime
daily.cron complete at endTime.

I am trying to extract the StartTime and EndTime for each cluster and put it in a table. Somehow, EndTime is always empty.

index=qbo "daily.cron run at"
| rex field=_raw "daily.cron run at (?<StartTime>.*)"
|  append [ search "daily.cron complete at"
| rex field=_raw  "daily.cron complete at (?<EndTime>.*)" ]
| table cluster, StartTime,EndTime| sort cluster

javiergn · ‎01-07-2016

I've fixed some issues in your search. Try this and see if that works:

index=qbo "daily.cron run at"
 | rex field=_raw "daily\.cron run at (?<StartTime>.*)"
 |  append [ search index=qbo "daily.cron complete at"
 | rex field=_raw  "daily\.cron complete at (?<EndTime>.*)" ]
 | table cluster, StartTime,EndTime| sort cluster

Also, in order to improve the performance, I would try to write a more exhaustive regex avoiding the dot wildcard (.*) whenever possible. If you know how your start and end time format look like, use that in your regex.

Thanks,
J

sundareshr · ‎01-07-2016

Have you tested your regex. regex101.com is a great resource for testing regular expressions

Having said that, have you tried without the sub search? You should be able to get the same results like this

index=qbo "daily.cron run at" OR "daily.cron complete at" | rex "daily.cron run at (?<StartTime>.*)" | rex "daily.cron complete at (?<EndTime>.*)" | table cluster, StartTime, EndTime

Why is a field extracted with rex always empty in a table?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025

Are you a member of the Splunk Community?

Why is a field extracted with rex always empty in a table?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025