Hello, I am trying to get a field extraction working, and have written regex accordingly that the field extractor seems to like. The raw logs are a list of quotes-encapsulated fields separated by ...
See more...
Hello, I am trying to get a field extraction working, and have written regex accordingly that the field extractor seems to like. The raw logs are a list of quotes-encapsulated fields separated by commas: "field1","field2","field3",... Certain fields can have multiple values, wherein the values are separated only by a comma but quotes enclose only the entire list of fields. For example: "field1","field2","field3value1,field3value2,field3value3",... To complicate matters, values that belong to a certain field can contain multiple words separated by other characters, such as "Software/Technology" or "Business and Industry" so that the entire field may look something like this: "Software/Technology,Business Services,Application,Business and Industry,Computers and Internet" That field needs to be extracted and displayed exactly as it is shown, The regex I have attempted for this is as follows: "(?<categories>[^\"]+|) "(?<categories_again>[\w\s\/\,]+|)
Although the field extractor, rex function, and regex101 like both of these extractions and they work exactly as expected, when I search I get each word from within the field as its own independent value, which is not what I need:
Software Technology Business Services Application and Industry
At this point I'm out of ideas as to regex modifications or other work-arounds that can be applied to fix this. Has anyone else encountered this problem and if so, were you able to fix it and how? Otherwise I think I have to bring this to Splunk support. Thank you