Using Splunk 6.2,
I have a few regex commands that return drastically different results when they are set up using field extractions vs inline seach commands. For example,
Example Log File:
20140915171053989759850769-27156-8.0.0 --Portfolio "MASTER LONG" --PeriodStartDate "January 1, 2014 12:00:00 am" --PeriodEndDate "September 15, 2014 11:59:59 pm"
Search command (works correctly):
|rex field=_raw "\bPeriodStartDate.*\"(?<PeriodStart>.*)\""
|rex field=_raw "\bPeriodEndDate.*\"(?<PeriodEnd>.*)\""
|rex field=_raw "\bPortfolio.*\"(?<Portfolio>.*)\""
Field Extractions:
\bPeriodEndDate.*\"(?.*)\"
\bPeriodStartDate.*\"(?.*)\"
\bPortfolio.*\"(?.*)\"
Could I be doing something wrong in the Field Extractions? I used the same regex in Splunk 6.0 with no issues. Any help would be appreciated!
... View more