topic Re: Regex to print 7th word of a one if a particular condition is met in Splunk Search

Regex to print 7th word of a one if a particular condition is met

saranyaa21 — Wed, 30 Sep 2020 01:51:18 GMT

Hi ,

below is the sample data :

12:10:32,946 INFO [class_name] [IP address] [id1] [-] [null,null,null,null,null,null,pincode] Logged in.
12:10:32,968 INFO [class_name] [IP address] [id1] [-] [name,id,location,street,state,country,pincode] Performing activity.

I'm trying to print the class name if 6th word is [-] and 7th word contains null values in it.

I'm using the following regex to do so:
rex field=_raw "(^(?:\S+\s+){2})(?<"Class_name">(\S+))" |rex field=_raw "(?<"Details">(?<=[-]\s[null).*pincode])"'

My challenge here:
This regex only captures the class_name and null,null,null,null,null,null,pincode . Actually, the same class has already printed the details for the same id id1 in a different place.

How should I correct my regular expression, in order to check, if the class has already printed the details, and to skip that class from the collection of empty details printing class list .

Thanks in advance .

Re: Regex to print 7th word of a one if a particular condition is met

kamlesh_vaghela — Thu, 22 Aug 2019 05:14:48 GMT

Can you please try this?

YOUR_SEARCH | rex field=_raw "(^(?:\S+\s+){2})\[(?<Class_name>(\S+))\]"  |rex field=_raw "(?<Details>(\[-\]\s\[null.*pincode]))" | dedup Class_name

My Sample Search:

| makeresults | eval d="12:10:32,946 INFO [class_name] [IP address] [id1] [-] [null,null,null,null,null,null,pincode] Logged in.||12:10:32,968 INFO [class_name] [IP address] [id1] [-] [name,id,location,street,state,country,pincode] Performing activity." | eval d=split(d,"||") | mvexpand d | eval _raw=d | fields _raw | rex field=_raw "(^(?:\S+\s+){2})\[(?<Class_name>(\S+))\]"  |rex field=_raw "(?<Details>(\[-\]\s\[null.*pincode]))" | dedup Class_name

Re: Regex to print 7th word of a one if a particular condition is met

saranyaa21 — Wed, 30 Sep 2020 01:51:24 GMT

Hello @kamlesh_vaghela ,

Your sample search works, as expected. But how do I use my search, to combine different pieces of logs as you have done in

| makeresults | eval d="12:10:32,946 INFO [class_name] [IP address] [id1] [-] [null,null,null,null,null,null,pincode] Logged in.||12:10:32,968 INFO [class_name] [IP address] [id1] [-] [name,id,location,street,state,country,pincode] Performing activity." | eval d=split(d,"||") | mvexpand d | eval _raw=d | fields _raw | rex field=_raw "(^(?:\S+\s+){2})[(?(\S+))]" |rex field=_raw "(?([-]\s[null.*pincode]))" | dedup Class_name

Re: Regex to print 7th word of a one if a particular condition is met

saranyaa21 — Wed, 30 Sep 2020 01:51:26 GMT

In this query below since two line, it was explicitly mentioned for comparison. But how do I compare huge logs when I don't know what will be the log entry.

should I try something like,

| makeresults | eval d="sourcetype=serverlog||sourcetype=serverlog | eval d=split(d,"||") | mvexpand d | eval _raw=d | fields _raw | rex field=_raw "(^(?:\S+\s+){2})[(?(\S+))]" |rex field=_raw "(?([-]\s[null.*pincode]))" | dedup Class_name

How should I pass the raw field here , the entire logs here ?!

Re: Regex to print 7th word of a one if a particular condition is met

kamlesh_vaghela — Thu, 22 Aug 2019 06:24:37 GMT

@saranyaa21

You have to use below portion of search with your event, Like if your events are in abc index and xyz sourcetype the your search should be like below

index=abc sourcetype=xyz  | rex field=_raw "(^(?:\S+\s+){2})[(?(\S+))]" |rex field=_raw "(?([-]\s[null.*pincode]))" | dedup Class_name

Re: Regex to print 7th word of a one if a particular condition is met

saranyaa21 — Fri, 23 Aug 2019 07:09:30 GMT

Dedup worked. Thanks @kamlesh_vaghela

Re: Regex to print 7th word of a one if a particular condition is met

kamlesh_vaghela — Fri, 23 Aug 2019 07:15:04 GMT

Gald to help you @saranyaa21. Can you please accept this answer to close this question?

Re: Regex to print 7th word of a one if a particular condition is met

saranyaa21 — Fri, 23 Aug 2019 09:35:36 GMT

done Kamlesh