Re: rex extract field not working as expected/ mi...

samlinsongguo · ‎08-25-2018

Hi
I have a field with following value

16/08/2018 03:04:11 - Christian (Work notes) Remote Desktop Notes: - still unable to remote in to the machine  10/08/2018 07:11:53 - Christian (Work notes) Remote Desktop Notes: - machine is offline - 08/08/2018 01:11:53 - Sam (Work notes) Remote Desktop Notes: - machine is comprimised

This is all job comments relate with the work and I want to get the last comment only of the job which will be the string between the first and second timestamps

 - Christian (Work notes) Remote Desktop Notes: - still unable to remote in to the machine

I tried use following regex in regex101.com, it seems works fine.

^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?<lastcomment>.+?(?=\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s))

But when I put the rex into the query it does not return anything

... | rex field=work_notes "^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?<lastcomment>.+?(?=\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s))" | table number lastcomment

so I am doing some testing and find the problem is splunk miss reading the ")" as if I do following query

... rex field=work_notes "^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?<lastcomment>.*)" | table number lastcomment

it return as

Christian (Work notes)

instead of the whole string as what ".*" expect to do

Christian (Work notes) Remote Desktop Notes: - still unable to remote in to the machine  10/08/2018 07:11:53 - Christian (Work notes) Remote Desktop Notes: - machine is offline - 08/08/2018 01:11:53 - Sam (Work notes) Remote Desktop Notes: - machine is comprimised

and if I put space between * and ) like below

...| rex field=work_notes "^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?<lastcomment>.* )" | table number  lastcomment

it will return as

 Christian (Work

Sorry for the long post, any suggestion what is going on there?

richgalloway · ‎08-25-2018

This alternative regex string may work better.

^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?<lastcomment>.+?)(?=\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s)

---
If this reply helps you, Karma would be appreciated.

samlinsongguo · ‎08-25-2018

the regex does not make any different.

ddrillic · ‎08-25-2018

I ran the following -

index=os
| eval _raw="16/08/2018 03:04:11 - Christian (Work notes) Remote Desktop Notes: - still unable to remote in to the machine  10/08/2018 07:11:53 - Christian (Work notes) Remote Desktop Notes: - machine is offline - 08/08/2018 01:11:53 - Sam (Work notes) Remote Desktop Notes: - machine is comprimised "
| rex field=_raw  "^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?<lastcomment>.+?(?=\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s))"

lastcomment came out as - Christian (Work notes) Remote Desktop Notes: - still unable to remote in to the machine.

samlinsongguo · ‎08-25-2018

Hi ddrillic
I tried run your query it got the result as you mentioned but it is not the only string in the value, so I did
eval _raw=work_notes | rex field=_raw "^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?.+?(?=\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s))"
| table lastcomment
it still come out with the same problem

rex extract field not working as expected/ miss handling ")" in regex

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Are you a member of the Splunk Community?

rex extract field not working as expected/ miss handling ")" in regex

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler