Styjun

Multi tool use

Should I refuse to be named as co-author of a low quality paper?

Convert only certain words to lowercase

Should I put programming books I wrote a few years ago on my resume?

What do you call the action of "describing events as they happen" like sports anchors do?

Why are ambiguous grammars bad?

noalign caused by multirow and colors

Is Dumbledore a human lie detector?

Oil draining out shortly after turbo hose detached/broke

bash vs. zsh: What are the practical differences?

NUL delimited variable

Seasonality after 1st differencing

The significance of kelvin as a unit of absolute temperature

Extracting data from Plot

Remove border lines of SRTM tiles rendered as hillshade

Difference between prepositions in "...killed during/in the war"

What should I be wary of when insurer is taking a lot of time to decide whether car is repairable or a total loss?

How to befriend someone who doesn't like to talk?

Housemarks (superimposed & combined letters, heraldry)

Do you really need a KDF when you have a PRF?

How do we say "within a kilometer radius spherically"?

What do Birth, Age, and Death mean in the first noble truth?

Command of files and size

Rail-to-rail op-amp only reaches 90% of VCC, works sometimes, not everytime

How far would a landing Airbus A380 go until it stops with no brakes?

REQ: Assistance with Splunk - Rex Query

Regular Expression works for all but 1.00 in Splunk rexSplunk: How to grab certain section from result in splunk?Splunk Rex ExpressionMultiple Rex ExpressionsSplunk: how to extract fields using regular expressions? like rex in splunk searchSplunk rex query does not return desired resultSub search to look up field comprised of rex in main searchSplunk - extract a field with dot/periodSplunk rex command with curly brackets, round brackets, period and quotation marksSplunk rex query to filter message

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

2

I'm having some issues with a rex query where a single digit date renders an incorrect result, but a double digit date provides the correct result.

These are the log entries I'm querying:

Mar 7 14:24:29 10.52.176.215 Mar 7 12:24:29 963568 - Melbourne details-cable-issue - vdvfvfv

Mar 20 09:52:55 10.52.176.215 Mar 20 07:52:55 963569 - Brisbane cable-issue

And this is the query:

^(?:[^ n]* )7(?P<extension>[^ ]+)[^-n]*-s+(?P<location>w+)

For the Mar 7 entry, my query is giving me group extension "7" whilst my Mar 20 entry is giving me group extension "963569" which is correct.

Can someone shed some light on my query to acknowledge a single and double digit date? #7 vs 20

Thanks all :)

regex splunk rex

share|improve this question

edited Mar 24 at 21:46

Wiktor Stribiżew

339k16155238

asked Mar 24 at 21:38

JoeTogoJoeTogo

133

add a comment | 

2

I'm having some issues with a rex query where a single digit date renders an incorrect result, but a double digit date provides the correct result.

These are the log entries I'm querying:

Mar 7 14:24:29 10.52.176.215 Mar 7 12:24:29 963568 - Melbourne details-cable-issue - vdvfvfv

Mar 20 09:52:55 10.52.176.215 Mar 20 07:52:55 963569 - Brisbane cable-issue

And this is the query:

^(?:[^ n]* )7(?P<extension>[^ ]+)[^-n]*-s+(?P<location>w+)

For the Mar 7 entry, my query is giving me group extension "7" whilst my Mar 20 entry is giving me group extension "963569" which is correct.

Can someone shed some light on my query to acknowledge a single and double digit date? #7 vs 20

Thanks all :)

regex splunk rex

share|improve this question

edited Mar 24 at 21:46

Wiktor Stribiżew

339k16155238

asked Mar 24 at 21:38

JoeTogoJoeTogo

133

add a comment | 

I'm having some issues with a rex query where a single digit date renders an incorrect result, but a double digit date provides the correct result.

These are the log entries I'm querying:

Mar 7 14:24:29 10.52.176.215 Mar 7 12:24:29 963568 - Melbourne details-cable-issue - vdvfvfv

Mar 20 09:52:55 10.52.176.215 Mar 20 07:52:55 963569 - Brisbane cable-issue

And this is the query:

^(?:[^ n]* )7(?P<extension>[^ ]+)[^-n]*-s+(?P<location>w+)

For the Mar 7 entry, my query is giving me group extension "7" whilst my Mar 20 entry is giving me group extension "963569" which is correct.

Can someone shed some light on my query to acknowledge a single and double digit date? #7 vs 20

Thanks all :)

regex splunk rex

share|improve this question

edited Mar 24 at 21:46

Wiktor Stribiżew

339k16155238

asked Mar 24 at 21:38

JoeTogoJoeTogo

133

Mar 7 14:24:29 10.52.176.215 Mar 7 12:24:29 963568 - Melbourne details-cable-issue - vdvfvfv

Mar 20 09:52:55 10.52.176.215 Mar 20 07:52:55 963569 - Brisbane cable-issue

^(?:[^ n]* )7(?P<extension>[^ ]+)[^-n]*-s+(?P<location>w+)

share|improve this question

edited Mar 24 at 21:46

Wiktor Stribiżew

339k16155238

asked Mar 24 at 21:38

JoeTogoJoeTogo

133

share|improve this question

edited Mar 24 at 21:46

Wiktor Stribiżew

339k16155238

asked Mar 24 at 21:38

JoeTogoJoeTogo

133

edited Mar 24 at 21:46

Wiktor Stribiżew

339k16155238

edited Mar 24 at 21:46

Wiktor Stribiżew

339k16155238

asked Mar 24 at 21:38

JoeTogoJoeTogo

133

asked Mar 24 at 21:38

JoeTogoJoeTogo

133

1 Answer
1

active

oldest

votes

0

There are several consecutive spaces (they look like padding spaces) in the first string, and since you only match one space within (?:[^ n]* ) you get mismatches.

I suggest matching 1 or more spaces in that first group and adjusting the limiting quantifier:

^(?:[^ n]* +)5(?P<extension>[^ ]+)[^-n]*-s+(?P<location>w+)
 ^ ^

See the regex demo

share|improve this answer

answered Mar 24 at 21:44

Wiktor StribiżewWiktor Stribiżew

339k16155238

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55328823%2freq-assistance-with-splunk-rex-query%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

There are several consecutive spaces (they look like padding spaces) in the first string, and since you only match one space within (?:[^ n]* ) you get mismatches.

I suggest matching 1 or more spaces in that first group and adjusting the limiting quantifier:

^(?:[^ n]* +)5(?P<extension>[^ ]+)[^-n]*-s+(?P<location>w+)
 ^ ^

See the regex demo

share|improve this answer

answered Mar 24 at 21:44

Wiktor StribiżewWiktor Stribiżew

339k16155238

add a comment | 

0

There are several consecutive spaces (they look like padding spaces) in the first string, and since you only match one space within (?:[^ n]* ) you get mismatches.

I suggest matching 1 or more spaces in that first group and adjusting the limiting quantifier:

^(?:[^ n]* +)5(?P<extension>[^ ]+)[^-n]*-s+(?P<location>w+)
 ^ ^

See the regex demo

share|improve this answer

answered Mar 24 at 21:44

Wiktor StribiżewWiktor Stribiżew

339k16155238

add a comment | 

There are several consecutive spaces (they look like padding spaces) in the first string, and since you only match one space within (?:[^ n]* ) you get mismatches.

I suggest matching 1 or more spaces in that first group and adjusting the limiting quantifier:

^(?:[^ n]* +)5(?P<extension>[^ ]+)[^-n]*-s+(?P<location>w+)
 ^ ^

See the regex demo

share|improve this answer

answered Mar 24 at 21:44

Wiktor StribiżewWiktor Stribiżew

339k16155238

^(?:[^ n]* +)5(?P<extension>[^ ]+)[^-n]*-s+(?P<location>w+)
 ^ ^

share|improve this answer

answered Mar 24 at 21:44

Wiktor StribiżewWiktor Stribiżew

339k16155238

answered Mar 24 at 21:44

Wiktor StribiżewWiktor Stribiżew

339k16155238

answered Mar 24 at 21:44

Wiktor StribiżewWiktor Stribiżew

339k16155238