'Issue with Splunk PCRE group name
I am trying to add a space to the PCRE group name.Not sure how to do so.For ex:
rex field=_raw "Time taken = (?<"TimeInMillisecs">[^\s^\D+]+)
In the above,I need the group name to be "Time in Millisecs".How do I change the above expression?
Solution 1:[1]
Don't. Working with spaces in Splunk field names can be problematic. It's best to use the compressed name and then use a rename command at the end of the query to change to the desired display name.
rex field=_raw "Time taken = (?<TimeInMillisecs>[^\s^\D+]+)
| rename TimeInMillisecs as "Time in Ms"
Solution 2:[2]
A couple of words on your regex: [^\s^\D+]+ matches one or more chars other than whitespace, ^, non-digit and + chars.
Note that \D matches any whitespaces, ^ and + chars since they are non-digit chars, so [^\s^\D+]+ is equal to [^\D]+. And as you can see, "any one or more chars other than non-digit chars" is actually the same as "one or more digit chars".
So, to make your regex free from ambiguity, you can use:
rex field=_raw "Time taken = (?<TimeInMillisecs>\d+)
| rename TimeInMillisecs as "Time In Millisecs"
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | |
| Solution 2 | Wiktor Stribiżew |