Hi
I have a field with following value
16/08/2018 03:04:11 - Christian (Work notes) Remote Desktop Notes: - still unable to remote in to the machine 10/08/2018 07:11:53 - Christian (Work notes) Remote Desktop Notes: - machine is offline - 08/08/2018 01:11:53 - Sam (Work notes) Remote Desktop Notes: - machine is comprimised
This is all job comments relate with the work and I want to get the last comment only of the job which will be the string between the first and second timestamps
- Christian (Work notes) Remote Desktop Notes: - still unable to remote in to the machine
I tried use following regex in regex101.com, it seems works fine.
^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?<lastcomment>.+?(?=\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s))
But when I put the rex into the query it does not return anything
... | rex field=work_notes "^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?<lastcomment>.+?(?=\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s))" | table number lastcomment
so I am doing some testing and find the problem is splunk miss reading the ")" as if I do following query
... rex field=work_notes "^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?<lastcomment>.*)" | table number lastcomment
it return as
Christian (Work notes)
instead of the whole string as what ".*" expect to do
Christian (Work notes) Remote Desktop Notes: - still unable to remote in to the machine 10/08/2018 07:11:53 - Christian (Work notes) Remote Desktop Notes: - machine is offline - 08/08/2018 01:11:53 - Sam (Work notes) Remote Desktop Notes: - machine is comprimised
and if I put space between * and ) like below
...| rex field=work_notes "^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?<lastcomment>.* )" | table number lastcomment
it will return as
Christian (Work
Sorry for the long post, any suggestion what is going on there?
This alternative regex string may work better.
^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?<lastcomment>.+?)(?=\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s)
the regex does not make any different.
I ran the following -
index=os
| eval _raw="16/08/2018 03:04:11 - Christian (Work notes) Remote Desktop Notes: - still unable to remote in to the machine 10/08/2018 07:11:53 - Christian (Work notes) Remote Desktop Notes: - machine is offline - 08/08/2018 01:11:53 - Sam (Work notes) Remote Desktop Notes: - machine is comprimised "
| rex field=_raw "^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?<lastcomment>.+?(?=\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s))"
lastcomment
came out as - Christian (Work notes) Remote Desktop Notes: - still unable to remote in to the machine
.
Hi ddrillic
I tried run your query it got the result as you mentioned but it is not the only string in the value, so I did
eval _raw=work_notes | rex field=_raw "^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?
| table lastcomment
it still come out with the same problem