topic Re: AND | OR Rex field in Splunk Search

AND | OR Rex field

patelpin — Tue, 29 Sep 2020 11:13:35 GMT

Hello. I have a few servers: a,b,c and 1,2,3

Servers a,b,c work with this - base search | rex field=cs_uri_stem "(\/apps\/)(?P< test>[\d\w]+)(\/\w+)(.*\b\w+)$" | top limit=1000 test

cs_uri_stem= /apps/example/foo.aspx
some of the cs_uri_stem will be /apps/example/example/foo.aspx

Servers 1,2,3 work with this - base search | rex field=cs_uri_stem "(\/apps\/)|(?P< test>[\d\w]+)(\/\w+)(.*\b\w+)$" | top limit=1000 test
cs_uri_stem= /example/foo.aspx

I would like to combine them so that I get the results from all the servers. Please excuse the space in < test> it wouldn't show without the space.

Re: AND | OR Rex field

MuS — Tue, 27 Sep 2016 20:14:19 GMT

Can you please provide some real world sample data as text?

Re: AND | OR Rex field

patelpin — Tue, 29 Sep 2020 11:13:37 GMT

I can post the cs_uri_stem from several of the servers. In bold is what I'm trying to extract. Let me know if you need additional items. Not sure I'm giving everything you need. I can give full raw if you'd like. The only difference between the two is the | pipe.

Servers a,b,c:
/apps/spxss/spxquotebrowser/SPX.css
/apps/ajt/SE3SPX2COM/Spx2COM.asmx
/apps/PriceInq/Default.aspx
/apps/ordp/OrderEntry.aspx
/apps/orderalert/default.aspx
/apps/ALIS/ALIC.aspx

Servers 1,2,3:
/ECFPO/OpenPO.aspx
/ECFBWIN/Reserved.ReportViewerWebControl.axd
/open4ess/checks1.asp
/ecfordertracker/
/ECFQuoteTracker/QuoteCompleted.aspx

sourcetype=iis s_computername=Server1* | rex field=cs_uri_stem "(\/apps\/)(?P< test>[\d\w]+)(\/\w+)(.*\b\w+)$" | top limit=1000 test
Will give me:
spxss
ajt
PriceInq
ordp
orderalert
ALIS

sourcetype=iis s_computername=ServerA* | rex field=cs_uri_stem "(\/apps\/)|(?P< test>[\d\w]+)(\/\w+)(.*\b\w+)$" | top limit=1000 test
Will give me:
ECFPO
ECFBWIN
open4ess
ecfordertracker
ECFQuoteTracker

Re: AND | OR Rex field

MuS — Tue, 27 Sep 2016 21:45:05 GMT

Hi patelpin,

based on the provided examples this regex should work for you:

... | rex field=cs_uri_stem "(^\/apps\/|^\/(?!apps))(?<myFoo>[^\/]+)" | ...

Tested and working on regex101.com

Hope this helps ...

cheers, MuS

Re: AND | OR Rex field

patelpin — Tue, 29 Sep 2020 11:13:48 GMT

This worked exactly as I'd hoped, for about 99% of all the items. There are just a few cs_uri_stem that are like /example.gif, favicon.ico and the such. Is there any way to exclude these items?

At the moment, in my queries I can just use ... | search myFoo!="." | ...

Re: AND | OR Rex field

MuS — Wed, 28 Sep 2016 19:19:55 GMT

Sure, just add another \/ at the end to make sure it will only match if there is a second /

 ... | rex field=cs_uri_stem "(^\/apps\/|^\/(?!apps))(?<myFoo>\w+)\/" | ...

cheers, MuS

Re: AND | OR Rex field

patelpin — Thu, 29 Sep 2016 18:39:36 GMT

Even better. Perfect, thank you very much.