topic 'AND' operator in Regular Expressions in Splunk Search

'AND' operator in Regular Expressions

Michael_Schyma1 — Mon, 26 Nov 2012 14:14:39 GMT

I am trying to only select the data that has Directory Administrators OR Master Web Resource Admins AND I want that data to have MOD in it. So the main part that i am missing here is what operator says AND in regular expressions and send all other data to nullQueue. The pipe between Master Web Resource Admins and the selection of the three numbers is wrong. I need to figure out how to get something that says AND in there.

#CID_LDAP
[setnullldap]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsingldap]
REGEX = (?:Directory Administrators)|(?:Master Web Resource Admins)|([0-9][0-9][0-9]\s+(:?MOD)\W+)
DEST_KEY = queue
FORMAT = indexQueue

Below is an example of the raw data that is being passed into Splunk:

[19/Nov/2012:11:37:10 -0500] conn=8813 op=416 MOD dn="obname=201211104775926,obname=20121011230424,obapp=PSC,o=Oblix,o=scope"

[19/Nov/2012:11:37:10 -0500] conn=8813 op=416 RESULT err=0 tag=103 nentries=0 etime=0 csn=50aa60ef00000

[19/Nov/2012:11:37:10 -0500] conn=883 op=417 SRCH base="obapp=PSC,o=Oblix,o=scope" scope=1 filter="(objectClass=oblixGSN)" attrs="obSeqNo"

[19/Nov/2012:11:37:10 -0500] conn=8813 op=417 RESULT err=0 tag=101 nentries=1 etime=0 Directory Administrators

Re: 'AND' operator in Regular Expressions

sowings — Mon, 26 Nov 2012 14:42:24 GMT

Can you provide a sample line that should be indexed? That is, it matches your stated criteria? The key bit will be the relative position of your selection strings vs. the MOD string (whether it comes before or after...).

Re: 'AND' operator in Regular Expressions

Michael_Schyma1 — Mon, 26 Nov 2012 14:48:20 GMT

[19/Nov/2012:11:37:10 -0500] conn=8813713 op=416 MOD dn="obname=20121119T09404775926,obname=20121010T07001230424,obapp=PSC,o=Oblix,o= Directory Administrators"

MOD will come first. If any additional information is needed, just let me know. Thank you so much

Re: 'AND' operator in Regular Expressions

wpreston — Mon, 26 Nov 2012 15:44:37 GMT

Would something like this work for you?

op=(?<Feild1>\d+)\sMOD\s.*(?:o=\sDirectory\sAdministrators|o=\sMaster\sWeb\sResource\sAdmins)

I'm using a capturing group for the digits and a non capturing group for the Admins search, but it's simple to change that to a capturing group if need to use it for field extraction. Also, I'm not sure if the space in front of Directory Administrators (and by extension: Master Web Resource Admins) is intentional or not, so please remove it if it shouldn't be there.

Re: 'AND' operator in Regular Expressions

yannK — Fri, 29 Aug 2014 19:07:40 GMT

You can an OR condition in REGEX
REGEX = {something|differentthing)

Or you can use multiple successive transforms to send to the parsing queue.

[myldapsourcetype] TRANSFORMS-filterevents = setnullldap, setparsingldap_admin, setparsingldap_mod