Reputation: 29
Issue with Splunk PCRE group name
I am trying to add a space to the PCRE group name.Not sure how to do so.For ex:
rex field=_raw "Time taken = (?<"TimeInMillisecs">[^\s^\D+]+)
In the above,I need the group name to be "Time in Millisecs".How do I change the above expression?
Upvotes: 0
Views: 187
Answers (2)
Reputation: 627335
A couple of words on your regex: [^\s^\D+]+ matches one or more chars other than whitespace, ^, non-digit and + chars.
Note that \D matches any whitespaces, ^ and + chars since they are non-digit chars, so [^\s^\D+]+ is equal to [^\D]+. And as you can see, "any one or more chars other than non-digit chars" is actually the same as "one or more digit chars".
So, to make your regex free from ambiguity, you can use:
rex field=_raw "Time taken = (?<TimeInMillisecs>\d+)
| rename TimeInMillisecs as "Time In Millisecs"
Upvotes: 1
Reputation: 9926
Don't. Working with spaces in Splunk field names can be problematic. It's best to use the compressed name and then use a rename command at the end of the query to change to the desired display name.
rex field=_raw "Time taken = (?<TimeInMillisecs>[^\s^\D+]+)
| rename TimeInMillisecs as "Time in Ms"
Upvotes: 2
Related Questions
- Regex to capture group name on first line, then the corresponding value on the next?
- Exclude string from matched result in regex
- Not able to match the regex
- Regex does not work on nearly identical raw data in Splunk
- regex operator in Splunk is not working to match results
- A regular expression that replaces a group with hard coded text
- RegEx in Splunk Search
- Splunk regex query returning no results
- A regex with Splunk
- Getting rid of the parenthesis with regular expression group matching