Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

space in my field with the field I extracted with a regex

Carolina
Engager
‎11-13-2017 06:34 PM

Hi,
Use a regex to extract some fields from my log with the regex101.com tool. but when I do the search for the mix field for example
index=search sourcetype=datos.log mix=818 does not show me results
but if I add an asterisk to the search index=search sourcetype=datos.log mix=*818 shows me results
My regex is the following:

(?<hora>[0-9]{8})+\s{1}+(?<mix>\d{3})(?<resp>[I|O])

these are some lines of my log

09523744 865O F010@@@@Y1905A46100000002     00000000151100157600STD20001
         865O 030202040005 1029  003047100000000012602                  
         865O   00000000000000000000000000000000000000000000517712002534
         865O 4898

Could you help me please?

Regards.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎11-14-2017 06:11 AM

This is due to mix being a partial token (like part of a whole word). See slide 29 of this presentation by Martin Mueller: https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf.

To illustrate, try index=search sourcetype=datos.log | search mix=818.

View solution in original post

Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎11-14-2017 06:11 AM

This is due to mix being a partial token (like part of a whole word). See slide 29 of this presentation by Martin Mueller: https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf.

To illustrate, try index=search sourcetype=datos.log | search mix=818.

Reply
Solved! Jump to solution

niketn
Legend
‎11-13-2017 07:32 PM

@Carolina, I think your reg ex is working fine your data seem be for 865 while you search mentions 818. However, I expect pattern remains the same for both. If you notice the regular expression for getting mix field is a combination of three digits (i.e. (?<mix>\d{3}) ) which is expected.

Can you try the following search?

index=search sourcetype=datos.log *818*
| search mix=818

Also you may change to the following regex but it is does the same thing as yours: (?<hora>[0-9]{8})\s(?<mix>\d{3})(?<resp>[I|O]). You can test out regular expression on regex101.com. I have added the regular expression and sample data as per the question (this will also help you understand how your regular expression is working).

https://regex101.com/r/t4uLzQ/1

If it still does not work, test out with mix=865 for which you have provided data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Carolina
Engager
‎11-13-2017 08:13 PM

@niketnilay, I already try the search and I have the same problem
but if I give a stats count index=search sourcetype=datos.log mix=* it shows me the mix however when I click on view event it does not show me results

0 Karma
Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...