Hi
I have a field with following value
16/08/2018 03:04:11 - Christian (Work notes) Remote Desktop Notes: - still unable to remote in to the machine 10/08/2018 07:11:53 - Christian (Work notes) Remote Desktop Notes: - machine is offline - 08/08/2018 01:11:53 - Sam (Work notes) Remote Desktop Notes: - machine is comprimised
This is all job comments relate with the work and I want to get the last comment only of the job which will be the string between the first and second timestamps
- Christian (Work notes) Remote Desktop Notes: - still unable to remote in to the machine
I tried use following regex in regex101.com, it seems works fine.
^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?.+?(?=\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s))
But when I put the rex into the query it does not return anything
... | rex field=work_notes "^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?.+?(?=\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s))" | table number lastcomment
so I am doing some testing and find the problem is splunk miss reading the ")" as if I do following query
... rex field=work_notes "^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?.*)" | table number lastcomment
it return as
Christian (Work notes)
instead of the whole string as what ".*" expect to do
Christian (Work notes) Remote Desktop Notes: - still unable to remote in to the machine 10/08/2018 07:11:53 - Christian (Work notes) Remote Desktop Notes: - machine is offline - 08/08/2018 01:11:53 - Sam (Work notes) Remote Desktop Notes: - machine is comprimised
and if I put space between * and ) like below
...| rex field=work_notes "^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?.* )" | table number lastcomment
it will return as
Christian (Work
Sorry for the long post, any suggestion what is going on there?
↧