Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- why does a ".*" extraction line ruin my query?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
why does a ".*" extraction line ruin my query?
Here is my original query:
tag=autoexpress_prod level=debug mdc.InvocationName=calculatePremiumAutoProcessc "serviceRequestName"
| rex field=message "<FirstName>(?
| rex field=message "<LastName>(?
| rex field=message "<MaritalStatus>(?
| dedup Married Fname Lname mdc.QuoteID
| join mdc.QuoteID
[search tag=autoexpress_prod level=debug mdc.InvocationName=recordBillingAccount "webservice request XML"
| rex field=message "<bil:externalPolicyNum>(?
| rename mdc.State as State, mdc.QuoteID as QuoteID
| table _time, PolicyNumber, State, QuoteID, Fname, Lname, Married
| sort 0 Fname Lname
| streamstats count by Fname Lname QuoteID
| eventstats max(count) as keep by Fname Lname
| search keep=2
it looks for people that change their marital status. The problem arises when I add this line: | rex field=message"<DECFirstName>(?<Message>.*)</DECFirstName>"
it completely prevents the query from grabbing certain pieces of data and I have no idea why?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure if it is just the formatting or a typo, but after the field=message you don't have a space before the double quote. That causes an error in the rex command processing. I tried this, which worked:
| makeresults | eval message="<DECFirstName>This is it</DECFirstName>" | rex field=message "\<DECFirstName\>(?<Message>.*)\</DECFirstName\>"
So I think that your rex is almost fine, it the only thing is the spacing before the double quote.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's what it looks like to me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi tfortne,
could you share your search using the Code sample button (101 010) because we cannot see your regexes.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tag=autoexpress_prod level=debug mdc.InvocationName=calculatePremiumAutoProcessc "serviceRequestName"
| rex field=message "\<DECFirstName\>(?<Message>.*)\</DECFirstName\>"
| rex field=message "\<FirstName\>(?<Fname>\w+)"
| rex field=message "\<LastName\>(?<Lname>\w+)"
| rex field=message "\<MaritalStatus\>(?<Married>\w+)"
| dedup Married Fname Lname mdc.QuoteID
| join mdc.QuoteID
[search tag=autoexpress_prod level=debug mdc.InvocationName=recordBillingAccount "webservice request XML"
| rex field=message "\<bil:externalPolicyNum\>(?<PolicyNumber>.{0,12})"]
| rename mdc.State as State, mdc.QuoteID as QuoteID
| table _time, PolicyNumber, State, Fname, Lname, Married, Message
| sort 0 Fname Lname
| streamstats count by Fname Lname QuoteID
| eventstats max(count) as keep by Fname Lname
| search keep=2
Here, sorry about that. I tried the fix, and it seemed to work, But i think the issue appears when i add the sorting function to it. For some reason the DECFirstName field makes the code drop results.
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
Splunk Answers Content Calendar, July Edition I
