topic Will you help me create a regex to extract one or more lines with same heading in a single event? in Splunk Search

Will you help me create a regex to extract one or more lines with same heading in a single event?

splunkreal — Wed, 19 Sep 2018 15:04:40 GMT

Hello guys,

I'm adding this to my search in order to extract fields :

| rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<DNmanquante>[^,]+)[^']+'\n(- CODE \(serial : (?P<CRLmanquante>\d+)\) error.\n-+\n)+"

Event example :

CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
- CODE (serial : 1234) error.
---------------------------------------------------------
- CODE (serial : 5676) error.
---------------------------------------------------------
- CODE (serial : 5677) error.
---------------------------------------------------------
- CODE (serial : 5678) error.
---------------------------------------------------------
- CODE (serial : 5679) error.
---------------------------------------------------------
CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'

I want to get XXX 2025:1234,XXX 2025:5678...etc like a tree with 1 or more branches.

The problem is it returns only last match : 5679

Thanks a lot.

Regex101 link : https://regex101.com/r/M96VAN/2

Re: Will you help me create a regex to extract one or more lines with same heading in a single event?

inventsekar — Wed, 19 Sep 2018 15:38:54 GMT

Hi...your rex query got damaged, since the answer portal can not accept those..
after writing your rex query, select it and then do "control-k" (to make it as a "code")..
or , use backticks before and after your rex (like.. | rex field=_raw ..) ...

Re: Will you help me create a regex to extract one or more lines with same heading in a single event?

splunkreal — Wed, 19 Sep 2018 15:55:26 GMT

Thank you 🙂

Re: Will you help me create a regex to extract one or more lines with same heading in a single event?

kamlesh_vaghela — Wed, 19 Sep 2018 16:43:24 GMT

@realsplunk
Can you please try following search?

YOUR_SEARCH | rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" | rex max_match=0 field=_raw "(- CODE \(serial : (?P<CODE>\d+)\) error)"

Here I have used separate rex for CN & Code.

My Sample Search:

| makeresults | eval _raw="CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
 - CODE (serial : 1234) error.
 ---------------------------------------------------------
 - CODE (serial : 5676) error.
 ---------------------------------------------------------
 - CODE (serial : 5677) error.
 ---------------------------------------------------------
 - CODE (serial : 5678) error.
 ---------------------------------------------------------
 - CODE (serial : 5679) error.
 ---------------------------------------------------------
 CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'" | rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" | rex max_match=0 field=_raw "(- CODE \(serial : (?P<CODE>\d+)\) error)"

Updated Ans:

YOUR_SEARCH | rex max_match=0 field=_raw "(?<data>.*[^\n]+)" 
| mvexpand data 
| table data 
| rex max_match=0 field=data "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" 
| rex max_match=0 field=data "(- CODE \(serial : (?P<CODE>\d+)\) error)" 
| filldown CN 
| search CODE=* | table CN CODE

My Sample Search:

| makeresults 
| eval _raw="CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  - CODE (serial : 1234) error.
  ---------------------------------------------------------
  - CODE (serial : 5676) error.
  ---------------------------------------------------------
  - CODE (serial : 5677) error.
  ---------------------------------------------------------
  - CODE (serial : 5678) error.
  ---------------------------------------------------------
  - CODE (serial : 5679) error.
  ---------------------------------------------------------
  CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
   - CODE (serial : 1234) error.
  ---------------------------------------------------------
  - CODE (serial : 5676) error.
  ---------------------------------------------------------
  - CODE (serial : 5677) error.
  ---------------------------------------------------------" 
| rex max_match=0 field=_raw "(?<data>.*[^\n]+)" 
| mvexpand data 
| table data 
| rex max_match=0 field=data "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" 
| rex max_match=0 field=data "(- CODE \(serial : (?P<CODE>\d+)\) error)" 
| filldown CN 
| search CODE=* | table CN CODE

Thanks

Re: Will you help me create a regex to extract one or more lines with same heading in a single event?

splunkreal — Thu, 20 Sep 2018 09:43:11 GMT

Hi Kamlesh, thanks however this way I can't associate CN with CODE accordingly.

Re: Will you help me create a regex to extract one or more lines with same heading in a single event?

kamlesh_vaghela — Fri, 21 Sep 2018 04:23:24 GMT

@realsplunk

quick question.

The event you provided will come in a single event or individual event?

Re: Will you help me create a regex to extract one or more lines with same heading in a single event?

splunkreal — Fri, 21 Sep 2018 07:04:34 GMT

It's a multiline single event, thanks 🙂

Re: Will you help me create a regex to extract one or more lines with same heading in a single event?

splunkreal — Fri, 21 Sep 2018 13:27:54 GMT

Dirty solution :

CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']+'\n- CODE \(serial : (?P<CODE>\d+)\) error.\n-+\n- CODE \(serial : (?P<CODE2>\d+)\) error.\n-+\n- CODE \(serial : (?P<CODE3>\d+)\) error.\n-+\n- CODE \(serial : (?P<CODE4>\d+)\) error.\n-+\n- CODE \(serial : (?P<CODE5>\d+)\) error.\n-+\n

Re: Will you help me create a regex to extract one or more lines with same heading in a single event?

kamlesh_vaghela — Fri, 21 Sep 2018 16:32:57 GMT

@realsplunk

See my Updated ans. 🙂
I hope I will work for you.

Re: Will you help me create a regex to extract one or more lines with same heading in a single event?

splunkreal — Mon, 24 Sep 2018 10:12:28 GMT

Congratulations, it works, good method 🙂

Re: Will you help me create a regex to extract one or more lines with same heading in a single event?

kamlesh_vaghela — Mon, 24 Sep 2018 10:18:47 GMT

Great.
Glad to help you.

Happy Splunking

Re: Will you help me create a regex to extract one or more lines with same heading in a single event?

rey123 — Wed, 30 Sep 2020 02:10:16 GMT

@kamlesh_vaghela , could you please guide what the regex would have been if we were to want to extract only the first occurrence of the (or ) from the results? Should 'max_match' = 1 in that case? Thanks!