Databases Reference
In-Depth Information
Finally, under
Generated pattern
, we see the regular expression that Splunk
generated, which is as follows:
(?i)^[^ ]* (?P<FIELDNAME>[^ ]+)
Let's step through the pattern:
•
(?i)
says that this pattern is case insensitive. By default, regular expressions
are case sensitive.
•
^
says that this pattern must match at the beginning of the line.
•
[^ ]*
says "any character but a space, zero or more times".
• The space is literal.
•
(?P<FIELDNAME>[^ ]+)
says to match anything that is not a space, and
capture it in the field
FIELDNAME
. You will have the opportunity to name
the field when you click on
Save
.
Edit
presents a dialog to let you modify the pattern manually:
Test
will launch a new search window with the pattern loaded into a very
useful query that shows the most common values extracted. In this case,
it is the following query:
index=main sourcetype="impl_splunk_gen"
| head 10000
| rex "(?i)^[^ ]* (?P<FIELDNAME>[^ ]+)"
| top 50 FIELDNAME
Search WWH ::
Custom Search