Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rex search not extracting correctly

RobKelley06
Explorer
‎06-15-2021 02:17 PM

I am trying to extract 2 fields out of the result, but it keeps grabbing the wrong values.

Example result:
123456789:17:05:18.865;1234;12345678;SRS;80;null;0;0;1

I want to extract the "80" and the "null" fields.  I have tried the following:

| rex field=_raw "([^;]*;){4}(?<Code>;)(?<Error>;)([^;]*;){2}"
| rex field=_raw "([^;]*;){3}(?<Code>;)(?<Error>;)([^;]*;){2}"
| rex field=_raw "([^;]*;)([^;]*;)([^;]*;)([^;]*;)(?<Code>;)(?<Error>;)([^;]*;){2}"
| rex field=_raw "([^;]*;)([^;]*;)([^;]*;)(?<Code>;)(?<Error>;)([^;]*;){2}"
| rex field=_raw "([^;]*;)([^;]*;)([^;]*;)([^;]*;)(?<Code>;)(?<Error>;)([^;]*;)([^;]*;)"
| rex field=_raw "([^;]*;)([^;]*;)([^;]*;)(?<Code>;)(?<Error>;)([^;]*;)([^;]*;)([^;]*;)"

Every time the "Code" value is coming as "null" and not "80".  What am I missing?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-15-2021 02:57 PM

See this search

| makeresults
| eval _raw="123456789:17:05:18.865;1234;12345678;SRS;80;null;0;0;1"
| rex field=_raw "(([^;]*);){4}(?<Code>\d+);(?<Error>[^;]*)"

I think you have missed the way you define extractions, e.g. you are using

(?<Code>;)

which is effectively saying that (if the whole rex expression matches, then the Code field will become a semi-colon.

See in my search above, where it does

(?<Code>\d+)

That is saying that the 1 or more digits (\d+) is captured by the Code field and

(?<Error>[^;]*)

is capturing all characters up to the next ; character.

Hope this helps

I am assuming from your attempts that the SRS may not always be SRS. If it's always SRS, then 

| rex field=_raw "SRS;(?<Code>\d+);(?<Error>[^;]*)"

would also work, but from your attempts, I understand that it's the 5th and 6th semi-colon separated segments you are after.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-15-2021 02:57 PM

See this search

| makeresults
| eval _raw="123456789:17:05:18.865;1234;12345678;SRS;80;null;0;0;1"
| rex field=_raw "(([^;]*);){4}(?<Code>\d+);(?<Error>[^;]*)"

I think you have missed the way you define extractions, e.g. you are using

(?<Code>;)

which is effectively saying that (if the whole rex expression matches, then the Code field will become a semi-colon.

See in my search above, where it does

(?<Code>\d+)

That is saying that the 1 or more digits (\d+) is captured by the Code field and

(?<Error>[^;]*)

is capturing all characters up to the next ; character.

Hope this helps

I am assuming from your attempts that the SRS may not always be SRS. If it's always SRS, then 

| rex field=_raw "SRS;(?<Code>\d+);(?<Error>[^;]*)"

would also work, but from your attempts, I understand that it's the 5th and 6th semi-colon separated segments you are after.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...