topic help on rex command in Splunk Search

help on rex command

jip31 — Fri, 19 Mar 2021 13:29:45 GMT

hello

My field sounds like this

03/01/2019 07:10 0 MBAM CLIENT (2.5_64b) EN.$w$

And I need to catch everything after

03/01/2019 07:10 0

it means I just need :

03/01/2019 07:10 0 MBAM CLIENT (2.5_64b) EN.$w$

could you help me please??

Re: help on rex command

gcusello — Fri, 19 Mar 2021 13:35:38 GMT

Hi @jip31,

to catch all after the string "03/01/2019 07:10 0 ", please, try this regex:

| rex "\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<your_field>.*)"

that you can test at https://regex101.com/r/lxl2sg/1

Ciao.

Giuseppe

Re: help on rex command

jip31 — Fri, 19 Mar 2021 14:23:58 GMT

it works fine in regex101 but not in my search

here is what i am doing :

index=toto sourcetype="flags" | rex field1="\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<field1>.*)" | table field1

is there something wrong??

Re: help on rex command

ITWhisperer — Fri, 19 Mar 2021 16:15:39 GMT

You don't need field1=, rex defaults to matching against _raw.

Re: help on rex command

jip31 — Fri, 19 Mar 2021 16:47:31 GMT

It doesnt works even if i dont do field1=

Re: help on rex command

scelikok — Fri, 19 Mar 2021 20:10:44 GMT

Hi @jip31,

Can you please share your _raw data using a screenshot ? There should be a difference on your data with your sample.

Re: help on rex command

jip31 — Wed, 24 Mar 2021 08:53:33 GMT

hello

here is

https://www.cjoint.com/c/KCyi0QPTiJb

Re: help on rex command

ITWhisperer — Wed, 24 Mar 2021 09:10:59 GMT

| rex "\d+\/\d+\/\d+\s+\d+:\d+\s+\d+\s+(?<field>.*)"

Re: help on rex command

gcusello — Wed, 24 Mar 2021 12:17:18 GMT

Hi @jip31,

yes: the rex command has a different syntax:

| rex "\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<your_field>.*)"

You haven't to add "field1=" before the regex.

Ciao.

Giuseppe

Re: help on rex command

jip31 — Wed, 24 Mar 2021 13:29:02 GMT

I think I am not speaking clearly

I need to extract the field yellow in the screenshot and to call him "software" https://www.cjoint.com/c/KCynsMbuF2b

what I dont understand is that when I try to extract the field manually with a regex method, all the lines have disappeared except the first which begins by "Microsoft Windows..."

so I can use you regex because "your_field" doesnt exists

Re: help on rex command

gcusello — Wed, 24 Mar 2021 13:38:06 GMT

Hi @jip31,

sorry but I don't understand the problem:

did you tried my regex (the one I hinted not the one you used) replacing your_field with software?

| rex "\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<software>.*)"

If it's not running in your Splunk, what's your result?

Ciao.

Giuseppe

Re: help on rex command

abhijeet01 — Wed, 24 Mar 2021 13:57:01 GMT

Hi @jip31 ,

Try this.

| rex field=_raw "
\d+\/\d+\/\d+\s\d+:\d+\s\d\s(?P<Field>[^\s*][A-Za-z0-9\s()._$]*)"

Re: help on rex command

jip31 — Wed, 24 Mar 2021 14:08:26 GMT

Giuseppe

The regex dont works because I dont succeed to extract this field properly....

When I am doing an field extraction, I cath the field, I called him "software" but at the end of the extraction, all the line have disappeared...

Re: help on rex command

ITWhisperer — Wed, 24 Mar 2021 14:12:00 GMT

Have you tried this - it is subtly different from the other rex strings because it takes into account multiple white-space characters in all instances - these are apparent in your screenshot.

Re: help on rex command

jip31 — Wed, 24 Mar 2021 14:41:36 GMT

Like I said, the first problem I have is to extract these field

You can see here the sourcetype config https://www.cjoint.com/c/KCyoNqARbmb

After this, I try to extract the field with the field extractor I need but it doenst works and i dont understand why

Re: help on rex command

scelikok — Wed, 24 Mar 2021 15:04:05 GMT

Hi @jip31,

Your linebreaker problem seems because of timestamps. It assumes %m-%d-%Y but it %d-%m-%Y

Please try changing your TIME_FORMAT to Advanced and use below format;

%d-%m-%Y %H:%M

Re: help on rex command

gcusello — Wed, 24 Mar 2021 16:03:11 GMT

Hi @jip31,

please check if the data you share are correct, because, using your data it runs:

| makeresults | eval _raw="03/01/2019 07:10 0 MBAM CLIENT (2.5_64b) EN.$w" | rex "\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<software>.*)" | table software

Ciao.

Giuseppe

Re: help on rex command

jip31 — Thu, 25 Mar 2021 09:50:42 GMT

yes like this it works fine