topic Re: Regex for variable extraction in Splunk Search

Regex for variable extraction

reverse — Wed, 12 Jun 2019 17:00:18 GMT

50.99.220.89

- 50.99.248.89 - - [12/Jun/2019:08:27:13 -0400] "POST /ccc67/JJ/U7UY/BCFUVGYUYGI11HTTP/1.1" 500 6629
abcdef.us12345

v1
v2

How can I extract v1 and v2 from the events?
v2 always starts with abc and has 5 digit port number.
Please guide, thanks.

Re: Regex for variable extraction

Vijeta — Wed, 12 Jun 2019 17:03:35 GMT

what is v1 in your example , is it 1.1? and what is value of v2 in above example?

Re: Regex for variable extraction

jnudell_2 — Wed, 12 Jun 2019 17:05:39 GMT

Hi reverese,
Can you please modify your question using a backtick character before and after your sample line?
But here's what you can do with the rex command:

| rex "^(?<v1>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*(?<v2>abc\S+\d{5})$"

Re: Regex for variable extraction

jnudell_2 — Wed, 12 Jun 2019 17:06:41 GMT

Use the backtick before and after your line to show all special characters

Re: Regex for variable extraction

reverse — Wed, 12 Jun 2019 17:08:49 GMT

abcdef.us12345

Re: Regex for variable extraction

reverse — Wed, 12 Jun 2019 17:09:01 GMT

abcdef.us:12345

Re: Regex for variable extraction

reverse — Wed, 12 Jun 2019 17:10:57 GMT

updated.. thanks!

Re: Regex for variable extraction

reverse — Wed, 12 Jun 2019 17:32:08 GMT

can I use single rex to extract both v1 and v2 for each raw line ?

Re: Regex for variable extraction

Vijeta — Wed, 12 Jun 2019 17:33:50 GMT

yes you can

Re: Regex for variable extraction

reverse — Wed, 12 Jun 2019 18:04:10 GMT

Please guide with the mentioned example raw event

Re: Regex for variable extraction

jnudell_2 — Wed, 12 Jun 2019 19:09:43 GMT

In most cases, yes. Could you clarify what v1 is and what v2 is in your raw line? Is v1 an ip address? Give me an example of v1 and v2. Thanks.

Re: Regex for variable extraction

reverse — Wed, 12 Jun 2019 19:35:42 GMT

I found the solution.. just added two rex .. it worked. Able to use both variables in my stats command

Re: Regex for variable extraction

jnudell_2 — Wed, 12 Jun 2019 19:44:34 GMT

Ok, but if v1 = abcdef.us12345 and v2 = abcdef.us:12345 do you really need to differentiate between v1 & v2, or are you just trying to capture the data?

If you don't care you would use:
| rex ".*(?<v1>abc\S+\d{1,5})$"

If you DO care then you would use:
| rex ".*(?<v2>abc[^:]+:\d{1,5})|(?<v1>abc\S+\d{1,5})$"

Re: Regex for variable extraction

reverse — Wed, 12 Jun 2019 19:52:27 GMT

V1 = 50.99.220.89 v2 = abcdef.us:12345

Re: Regex for variable extraction

jnudell_2 — Wed, 12 Jun 2019 20:40:02 GMT

Much clearer... Definitely no need for 2 rex statements for that. The one I provided above in the answer works on that.

Re: Regex for variable extraction

reverse — Wed, 12 Jun 2019 21:25:03 GMT

i have rex like - rex "(?xxxx|yyyy)"

When using stats by action .. my results are dividing by xxxx and yyyy.

How can I avoid this separation?

Re: Regex for variable extraction

jnudell_2 — Thu, 13 Jun 2019 04:38:45 GMT

You'll need to write that more clearly, and use the backticks around your rex statement so special characters don't get removed.

What's the whole search? And what does an event look like for that search where the rex matches?