regex - REQ: Assistance with Splunk - Rex Query

Question

I'm having some issues with a rex query where a single digit date renders an incorrect result, but a double digit date provides the correct result.

These are the log entries I'm querying:

Mar  7 14:24:29 10.52.176.215 Mar  7 12:24:29 963568 - Melbourne details-cable-issue - vdvfvfv

Mar 20 09:52:55 10.52.176.215 Mar 20 07:52:55 963569 - Brisbane cable-issue

And this is the query:

^(?:[^ \n]* ){7}(?P<extension>[^ ]+)[^\-\n]*\-\s+(?P<location>\w+)

For the Mar 7 entry, my query is giving me group extension "7" whilst my Mar 20 entry is giving me group extension "963569" which is correct.

Can someone shed some light on my query to acknowledge a single and double digit date? #7 vs 20

Thanks all :)

score 0 · Accepted Answer

There are several consecutive spaces (they look like padding spaces) in the first string, and since you only match one space within (?:[^ \n]* ) you get mismatches.

I suggest matching 1 or more spaces in that first group and adjusting the limiting quantifier:

^(?:[^ \n]* +){5}(?P<extension>[^ ]+)[^-\n]*-\s+(?P<location>\w+)
            ^  ^

See the regex demo

regex - REQ: Assistance with Splunk - Rex Query

1 回答 1

Related

Reference