topic Re: rex command to extract in Splunk Search

rex command to extract

itishree — Fri, 11 Sep 2020 13:35:46 GMT

i have one host with multiple sourcetype , i want to extract some field but that field also have some different so for all events i have to write different different rex command , is there any way to write rex command for all events

like this

Win_7_cuckoo.vmx

packer-centos6.vmx

test-vm-auto2.vmx

win-10-test1.vmx

so from here except .vmx

can any one help for this ?

Re: rex command to extract

gcusello — Fri, 11 Sep 2020 13:44:26 GMT

Hi @itishree,

sorry but I don't understand your question:

do you want to find a way to apply a field extraction (with one common regex) to all sourcetypes?
do you want to apply a different regex to each sourcetypes?

If the first you could try to associate the field extraction to an host or a source instead to a sourcetype, I don't like but it's possible.

If the second, it's not possible: you have to use the correct regex for each sourcetype.

The best approach could be that you share two or three samples of your data indicating what you want to extract.

Ciao.

Giuseppe

Re: rex command to extract

itishree — Mon, 14 Sep 2020 04:58:06 GMT

yes , i want to find a way to apply a field extraction (with one common regex) to all sourcetypes

is it possible?

Re: rex command to extract

gcusello — Mon, 14 Sep 2020 07:04:27 GMT

Hi @itishree,

no it isn't possible, you have to copy the field extraction for all sourcetypes.

I understand that it isn't easy to manage, but it permits to maintain more control on your data.

There'a also the choice to associate the field extraction to host and/or source if could be useful for you, in this way it's common to all the sourcetypes associated to that host or source.

Ciao.

Giuseppe

Re: rex command to extract

itishree — Wed, 16 Sep 2020 05:03:01 GMT

index="" ".vmx" host="" | rex field=_raw (?P<VM>\w+\/\w+\w+.vmx)(?!vmx) | rex field=_raw (?P<VM>\w+-\w+\/\w+\-\w+.vmx)(?!vmx) | rex field=_raw (?<VM>\w+\-\w+\-\w+\/\w+\-\w+\-\w+.vmx)| stats count by VM

result is like this:


Caldera/Caldera.vmx
Cuckoo_SNDBX/Cuckoo_SNDBX.vmx
Win_7_cuckoo/Win_7_cuckoo.vmx
kali/kali.vmx
kali2019/kali2019.vmx

but i want :

Caldera

Cuckoo_SNDBX

Win_7_cuckoo

kali2019

Re: rex command to extract

gcusello — Mon, 14 Sep 2020 07:51:16 GMT

Hi @itishree,

using your sample (if you could share a real log it could be more affidable!), I see that you could use this regex

| "\/(?<VMX>[^\.]*)\.vmx"

that you can test at https://regex101.com/r/WUUCpw/1

Ciao.

Giuseppe

Re: rex command to extract

gcusello — Mon, 14 Sep 2020 08:30:16 GMT

Hi @itishree,

try this regex

| rex "\/[^\/]*\/[^\/]*\/[^\/]*\/(?<VMX>[^\.]*)\.vmx"

that you can test at https://regex101.com/r/WUUCpw/2

Ciao.

Giuseppe

Re: rex command to extract

itishree — Wed, 16 Sep 2020 05:05:24 GMT

i want like

win2016-test1

Win_7_cuckoo

Re: rex command to extract

gcusello — Mon, 14 Sep 2020 11:57:25 GMT

Hi @itishree,

is this a different question or the same?

if a different one, please open a new one, that's useful for all the other people of Community so me and the other people can help you.

If it's the same, please, as the previous, share a sample of your logs.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: rex command to extract

itishree — Mon, 14 Sep 2020 12:06:06 GMT

same one

Re: rex command to extract

itishree — Mon, 14 Sep 2020 12:09:28 GMT

In result i am getting like this

datastore1/packer-win12/packer-win12
datastore1/packer_centos6/packer_centos6
datastore1/packer_centos7/packer_centos7
datastore1/packer_ubuntu18/packer_ubuntu18

i want like this only name of that

packer_ubuntu18

packer_centos7

Re: rex command to extract

gcusello — Mon, 14 Sep 2020 12:16:07 GMT

Hi @itishree,

these logs aredifferent than the previous, can we use two regexes (one for the previous and one for these) or do you want only one regex?

in both cases, can you share a sample of all the possible logs to take with the regex?

Ciao.

Giuseppe

Re: rex command to extract

itishree — Tue, 15 Sep 2020 13:58:14 GMT

same one only... i am getting this result

from this i want like only name of vm

packer-centos6

packer-win12

packer_ubuntu18

Re: rex command to extract

gcusello — Mon, 14 Sep 2020 12:55:44 GMT

Hi @itishree,

As you can see, I sent to you two regexes with the old logs you shared, two versions because you sent two different versions of logs (before results you'gettin' in, then sample logs).

So, could you share a sample of all the kind of logs?

Anyway, the regex to extract from the results you shared is

| rex "\w*\/[^\/]*\/(?<my_field>\S*)\s*$"

that you can test at https://regex101.com/r/m9VYnT/1, but probably isn't correct.

Ciao.

Giuseppe