Hi @jip31,
Your linebreaker problem seems because of timestamps. It assumes %m-%d-%Y but it %d-%m-%Y
Please try changing your TIME_FORMAT to Advanced and use below format;
%d-%m-%Y %H:%M
Hi @jip31,
Your linebreaker problem seems because of timestamps. It assumes %m-%d-%Y but it %d-%m-%Y
Please try changing your TIME_FORMAT to Advanced and use below format;
%d-%m-%Y %H:%M
Hi @jip31 ,
Try this.
| rex field=_raw "
\d+\/\d+\/\d+\s\d+:\d+\s\d\s(?P<Field>[^\s*][A-Za-z0-9\s()._$]*)"
Hi @jip31,
Can you please share your _raw data using a screenshot ? There should be a difference on your data with your sample.
| rex "\d+\/\d+\/\d+\s+\d+:\d+\s+\d+\s+(?<field>.*)"
Have you tried this - it is subtly different from the other rex strings because it takes into account multiple white-space characters in all instances - these are apparent in your screenshot.
Like I said, the first problem I have is to extract these field
You can see here the sourcetype config https://www.cjoint.com/c/KCyoNqARbmb
After this, I try to extract the field with the field extractor I need but it doenst works and i dont understand why
Hi @jip31,
to catch all after the string "03/01/2019 07:10 0 ", please, try this regex:
| rex "\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<your_field>.*)"
that you can test at https://regex101.com/r/lxl2sg/1
Ciao.
Giuseppe
it works fine in regex101 but not in my search
here is what i am doing :
index=toto sourcetype="flags"
| rex field1="\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<field1>.*)"
| table field1
is there something wrong??
Hi @jip31,
yes: the rex command has a different syntax:
| rex "\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<your_field>.*)"
You haven't to add "field1=" before the regex.
Ciao.
Giuseppe
hi
I think I am not speaking clearly
I need to extract the field yellow in the screenshot and to call him "software" https://www.cjoint.com/c/KCynsMbuF2b
what I dont understand is that when I try to extract the field manually with a regex method, all the lines have disappeared except the first which begins by "Microsoft Windows..."
so I can use you regex because "your_field" doesnt exists
Hi @jip31,
sorry but I don't understand the problem:
did you tried my regex (the one I hinted not the one you used) replacing your_field with software?
| rex "\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<software>.*)"
If it's not running in your Splunk, what's your result?
Ciao.
Giuseppe
Giuseppe
The regex dont works because I dont succeed to extract this field properly....
When I am doing an field extraction, I cath the field, I called him "software" but at the end of the extraction, all the line have disappeared...
Hi @jip31,
please check if the data you share are correct, because, using your data it runs:
| makeresults
| eval _raw="03/01/2019 07:10 0 MBAM CLIENT (2.5_64b) EN.$w"
| rex "\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<software>.*)"
| table software
Ciao.
Giuseppe
yes like this it works fine
You don't need field1=, rex defaults to matching against _raw.
It doesnt works even if i dont do field1=