Hi,
Use a regex to extract some fields from my log with the regex101.com tool. but when I do the search for the mix field for example
index=search sourcetype=datos.log mix=818
does not show me results
but if I add an asterisk to the search index=search sourcetype=datos.log mix=*818
shows me results
My regex is the following:
(?<hora>[0-9]{8})+\s{1}+(?<mix>\d{3})(?<resp>[I|O])
these are some lines of my log
09523744 865O F010@@@@Y1905A46100000002 00000000151100157600STD20001
865O 030202040005 1029 003047100000000012602
865O 00000000000000000000000000000000000000000000517712002534
865O 4898
Could you help me please?
Regards.
This is due to mix
being a partial token (like part of a whole word). See slide 29 of this presentation by Martin Mueller: https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf.
To illustrate, try index=search sourcetype=datos.log | search mix=818
.
This is due to mix
being a partial token (like part of a whole word). See slide 29 of this presentation by Martin Mueller: https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf.
To illustrate, try index=search sourcetype=datos.log | search mix=818
.
@Carolina, I think your reg ex is working fine your data seem be for 865 while you search mentions 818. However, I expect pattern remains the same for both. If you notice the regular expression for getting mix field is a combination of three digits (i.e. (?<mix>\d{3})
) which is expected.
Can you try the following search?
index=search sourcetype=datos.log *818*
| search mix=818
Also you may change to the following regex but it is does the same thing as yours: (?<hora>[0-9]{8})\s(?<mix>\d{3})(?<resp>[I|O])
. You can test out regular expression on regex101.com. I have added the regular expression and sample data as per the question (this will also help you understand how your regular expression is working).
https://regex101.com/r/t4uLzQ/1
If it still does not work, test out with mix=865
for which you have provided data.
@niketnilay, I already try the search and I have the same problem
but if I give a stats count index=search sourcetype=datos.log mix=*
it shows me the mix however when I click on view event it does not show me results