Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to display "Blank Character" in multivalue field

gfs2277
New Member
‎10-03-2014 07:59 PM

hello everyone,

i have a question about "Blank Character" display in multivalue field
i use a "rex" to extract many fields ,

| rex "\n(?P[1-9\s])\s*(?P[12])\s*(?P\S*)\s" max_match=0

in field1 , it could be 1-9 OR \s (blank)
when i table this field , the \s disappeared
for some reason , i want to reserve the "blank"
Does anyone have any suggestions ?
thanky you very much

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎10-04-2014 04:40 AM

This regex is pretty confusing to me. You have ?P but no name for the capturing group. Is there a purpose for the presence of the ?P at the start of each group? Perhaps our unhelpful markdown interpreter ate the <fieldname> component.

In any event, there are several scenarios in which the visual display of an empty-space value of a field will not be satisfying. Are you sure the field is not present? Try putting a character on the end of each value to test, such as with |eval myfield=myfield . "x"

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...