Splunk Search

With regex, can you help me with a matching issue for a blank space?

su_kumar
New Member

Hello,

I am having an issue with some regex that I wrote.

it is working fine except for this blank space.

Regex :

SHA:\s(?P<value>[^\,\"]+)\,\sFile:(?P<file>\s*[^\,\"]+)Time:\s(\d+\.?\d*)\s(?:.*)

Sample Log :

Case 1:

SHA: 829d93a28c73a03e832201de5159994, File: Time: 1537775701 details[File Analysis ] ------> not working when File name is blank space.

Case 2:
SHA: 68a4b235449a8c3cfc8ed, File: Guia-Deshaon-quicaTime: 1537780892 details[File Analysis ] -----> working fine.

issue:

Field extraction is not happening for filename in case 1. It is ignoring value for filename,
but in the case 2 field extraction, it is happening.

Please help. I am new to regex.

0 Karma

woodcock
Esteemed Legend

Hey, where did you go? Come back here and tell us what happened. Click Accept somewhere and close the question.

0 Karma

kushagra9120
Explorer
| makeresults 
| eval msg="SHA: 829d93a28c73a03e832201de5159994, File: Time: 1537775701 details[File Analysis ] ; SHA: 68a4b235449a8c3cfc8ed, File: Guia-Deshaon-quicaTime: 1537780892 details[File Analysis ]"
| makemv delim=";" msg
| mvexpand msg
| rex field=msg "SHA:\s(?P<value>[^\,\"]+)\,\sFile:(?P<file>\s*[^\,\"]+)?Time:\s(\d+\.?\d*)\s(?:.*)"
| eval file = if('file'=" ","Null",'file')

This should give you two file values Null and Guia-Deshaon-quica

0 Karma

vinod94
Contributor

You can try this,

your search | rex  "SHA\:\s([a-zA-Z0-9]+)\,\sFile\:(?P<File>[^Time].*)Time\:(?P<Time>[^\d]\d+)"

run anywhere this search,

| makeresults 
| eval data="SHA: 829d93a28c73a03e832201de5159994, File: Time: 1537775701 details[File Analysis ];
SHA: 68a4b235449a8c3cfc8ed, File: Guia-Deshaon-quicaTime: 1537780892 details[File Analysis ] " 
| makemv delim=";" data 
| mvexpand data 
| rename data as _raw 
| fields - _time 
| rex field=_raw "SHA\:\s([a-zA-Z0-9]+)\,\sFile\:(?P<File>[^Time].*)Time\:(?P<Time>[^\d]\d+)"
0 Karma

woodcock
Esteemed Legend

Try this:

... | rex "SHA:\s(?<SHA>[^,]+),\sFile:\s(?<File>\S*?)Time:\s(?<Time>\d+)\sdetails\s*\[(?<details>[^\]]+)"
0 Karma

saurabhkharkar
Path Finder
Try this

SHA:\s(?<SHA>[^\,\"]+)\,\sFile:\s(?<File>.*?)Time:\s(?<Time>\d+)\s.+
| table SHA File Time
0 Karma

su_kumar
New Member

it is working on Regex101.com but still field extraction is not happening for file when after File: has space then Time:
log : File: Time:506034567 ---> here After File: has one space then Time: field
Why this field extraction is not happening when File: has space value

0 Karma

saurabhkharkar
Path Finder
seems to be working fine for me 
run this search - string is your sample log

| makeresults
| eval string="SHA: 829d93a28c73a03e832201de5159994, File: Time: 1537775701 details[File Analysis ]"
|rex field=string "SHA:\s(?<SHA>[^\,\"]+)\,\sFile:\s(?<File>.*?)Time:\s(?<Time>\d+)\s.+"
 | table SHA File Time
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!