topic Re: Help In writing Regex for a dashboard in Dashboards & Visualizations

Help In writing Regex for a dashboard

mayank101 — Thu, 01 Aug 2019 18:00:24 GMT

I have may entries under the event field. I wanted a regex that separates extra out such as anything after GBP ,AMP
Eg - events

1 LOG-NOTIFYCMD-dce-<1SS4C413----> LOG-NOTIFYCMD-dce
2 LOG-NOTIFYCMD-abc-<1SS4C413---->LOG-NOTIFYCMD-abc
3 LOG-NOTIFYCMD-As1-<1SS4C413---->LOG-NOTIFYCMD-As1
.
.
.

Can you help me writing regex ,I am stuck in it.

Re: Help In writing Regex for a dashboard

niketn — Thu, 01 Aug 2019 19:05:11 GMT

@mayank101 for the community to assist you better please add more details as to what you need to extract in the above event. Also what is the pattern before and after the text that you want to extract.

Re: Help In writing Regex for a dashboard

mayank101 — Thu, 01 Aug 2019 19:10:05 GMT

As I have mentioned in example....anything after CMD needs to be eliminated. And the pattern is that CMD is the last word in expression and they start with LOG.I have already given example to make it more clear.

Re: Help In writing Regex for a dashboard

jacobpevans — Thu, 01 Aug 2019 19:16:04 GMT

Greetings @mayank101,

Assuming your data is in one line as you typed it and you want everything after and including CMD until the next space removed, you can trim it as such:

| makeresults
| eval _raw="1 LOG-NOTIFYCMD-dce- LOG-NOTIFYCMD-dce 2 LOG-NOTIFYCMD-abc-LOG-NOTIFYCMD-abc 3 LOG-NOTIFYCMD-As1-LOG-NOTIFYCMD-As1"
| eval _raw = replace(_raw, "CMD[^ ]+", "")

Re: Help In writing Regex for a dashboard

woodcock — Thu, 01 Aug 2019 19:16:45 GMT

We have no idea what you mean. What is GBP (Great British Pound)? What is AMP (ampersand, amperes)? Why do this strings not appear in your event. This must be a troll.

Re: Help In writing Regex for a dashboard

niketn — Thu, 01 Aug 2019 19:20:29 GMT

@mayank101 well in your question you have mentioned GBP and AMP which is never present in your sample data. However, even if I assume you wanted to remove anything after CMD, the pattern would be CMD exist before the data to be removed and what should be there after data to be removed is taken out?

Does the text highlighted in red below need to be removed? Also whether you want to remove them or extract them or anonymize?

1 LOG-NOTIFYCMD- dce - LOG-NOTIFYCMD- dce 2 LOG-NOTIFYCMD- abc -LOG-NOTIFYCMD- abc 3 LOG-NOTIFYCMD- As1 -LOG-NOTIFYCMD- As1

Re: Help In writing Regex for a dashboard

mayank101 — Thu, 01 Aug 2019 19:25:34 GMT

I want it to be extracted.Yes you are right it has to be extracted upto CMD.

Eg: event : LOG-NOTIFYCMD-dce-
LOG-NOTIFYCMD-`abc

Desired Result to be extracted: LOG-NOTIFYCMD
LOG-NOTIFYCMD

Re: Help In writing Regex for a dashboard

woodcock — Fri, 02 Aug 2019 03:46:51 GMT

Your use of extract is VERY unclear. Show the sample events and a mockup of the desire result. Then you won't need to use any words at all.

Re: Help In writing Regex for a dashboard

niketn — Fri, 02 Aug 2019 04:42:55 GMT

@mayank101 so still not clear. In a single event same text can occur several times and you need to extract all of them? Why? Please add context of what you have in data what you need to do for field extraction and once you have the field extracted how are you going to use it?

Is LOG_NOTIFYCMD going to be the same across or can it vary in your data, can you add sample?

Finally do try to understand that regular expression will be tightly coupled with the data you have and pattern in the data. So unless you explain your requirement correctly with correct data sample (you can definitely anonymize sensitive information so that regular expression does not change) for us to assist you better.

Following is a run anywhere example based on what you have described so far but I have no idea if this is really what you need and if you do, what would be the right use case for this?

|  makeresults
|  eval _raw="1 LOG-NOTIFYCMD- dce - LOG-NOTIFYCMD- dce 2 LOG-NOTIFYCMD- abc -LOG-NOTIFYCMD- abc 3 LOG-NOTIFYCMD- As1 -LOG-NOTIFYCMD- As1"
|  rex "(?<myfield>LOG-NOTIFYCMD)" max_match=0

Following is a more generic regular expression as per your data (with the same disclaimer that it may not work as per your expectations until you provide correct event samples and requirement for field extraction)

|  makeresults
|  eval _raw="1 LOG-NOTIFYCMD- dce - LOG-NOTIFYCMD- dce 2 LOG-NOTIFYCMD- abc -LOG-NOTIFYCMD- abc 3 LOG-NOTIFYCMD- As1 -LOG-NOTIFYCMD- As1"
|  rex "\s*(?<myfield>[^\-]+\-[^\-]+)\-\s[^\s]+" max_match=0

I would recommend you to try regex101.com for you to come up with regex extraction and understand the same (try sample of Reg Ex used above) . Or else use Interactive Field Extraction in Splunk (link to Step by Step IFX Splunk Documentation) where you let Splunk generate the RegEx based on the sample event and field value you highlight in the event.

Re: Help In writing Regex for a dashboard

mayank101 — Fri, 02 Aug 2019 15:06:08 GMT

I apologize woodcock for being unclear. I will try to be more clear next time.

Re: Help In writing Regex for a dashboard

mayank101 — Fri, 02 Aug 2019 15:06:36 GMT

I apologize niketnilay for being unclear. I will try to be more clear next time.

Re: Help In writing Regex for a dashboard

woodcock — Fri, 02 Aug 2019 15:32:10 GMT

So try again. show us the raw events and a mockup of your desired final outcome.