Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

regex skipping items with square brackets

sphiwee
Contributor
‎11-08-2023 03:58 AM

My regular expression has been working fine.. but now theres data with "[]" and it is being skipped

 

here is the regex 

| rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?<Process>[^\]]*)\]\s*\[(?<Step>[^\]]*)\]\s*\[(?<User>[^\]]*)\]\s*[^\[]+\s\[(?<Log_level>[^\]]+)"
| search Log_level="ERROR"

this log entry is being skipped

13:42:21 [gaming-run-9999999-hit-99999991-step-6129] [[FALSE] Gaming Cans Gaming Redesigned API v.2.6.3] [Consolidated Card Refund Business Process  (Gaminggaming)] [] GameTask [ERROR]

Do I need to update my reg expression?

 

Labels (3)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-08-2023 04:14 AM

You have [FALSE] in your process which is disrupting the match. Assuming this is optional, you could try this:

| rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?<Process>(\[[^\]]*\]\s)?[^\]]*)\]\s*\[(?<Step>[^\]]*)\]\s*\[(?<User>[^\]]*)\]\s*[^\[]+\s\[(?<Log_level>[^\]]+)"

Also, you example doesn't have a date at the beginning which I assumed was a copy paste error. If not, you would have to change that part of the expression too

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...