topic Re: Is there a regex syntax for undefined number of characters? in Splunk Search

Is there a regex syntax for undefined number of characters?

jenniferleenyc — Mon, 25 Jul 2016 19:51:25 GMT

I need to get commonName for ISSUER NAME but there are multiple issues: there are more than one commonName(one for ISSUER NAME and another for SUBJECT NAME), commonName position below ISSUER NAME is not fixed, and commonName will sometimes be a string of words with spaces between them. Is there a syntax for an indefinite number of characters and a syntax for scanning a string of words and spaces?

Data:
(0)ISSUER NAME

countryName US
organizationName Lucky Stars
commonName Dev Lucky Stars Internal PKI Firmwide Generic Issuing CA 6
(0)SUBJECT NAME

countryName US
stateOrProvinceName New York
localityName New York
organizationName Lucky Stars
commonName iklabnac04.ms.com
emailAddress mike.ng@luckystars.com
(0)Valid From May 26 03:33:39 2016 GMT
(0)Valid Till May 26 03:33:39 2018 GMT

Re: Is there a regex syntax for undefined number of characters?

richgalloway — Mon, 25 Jul 2016 20:02:58 GMT

Is the commonName field always prefixed by "commonName"?

Re: Is there a regex syntax for undefined number of characters?

somesoni2 — Mon, 25 Jul 2016 20:03:29 GMT

Give this a try

your base search | rex "commonName (?<commonName>(\S+\s*)+)"

Re: Is there a regex syntax for undefined number of characters?

sundareshr — Mon, 25 Jul 2016 20:05:40 GMT

Try this. There can be more than 2 commonName, adjust the max_match count and eval statements accordingly.

.... | rex max_match=2 "(?<commonName>commonName[^\t\n]+)"  | eval commonName_Issuer=mvindex(commonName, 0) | eval commonName_Subject=mvindex(commonName, 1) | ...

Re: Is there a regex syntax for undefined number of characters?

jenniferleenyc — Mon, 25 Jul 2016 20:19:48 GMT

would this be an inline command?

Re: Is there a regex syntax for undefined number of characters?

jenniferleenyc — Mon, 25 Jul 2016 20:53:27 GMT

I'm a little unfamiliar with regex syntax. What do the "..." and pipes indicate? What do I replace the "..." with?

Re: Is there a regex syntax for undefined number of characters?

somesoni2 — Mon, 25 Jul 2016 20:55:13 GMT

Yes, this would be added to your current search. Post the search you're using if you've any confusion where it should be added.

Re: Is there a regex syntax for undefined number of characters?

sundareshr — Mon, 25 Jul 2016 20:57:48 GMT

the ... just means etc. At the begining it is your base search, like this

index=nameofyourindex sourcetype=nameofsourcetype | rex max_match=2 "(?<commonName>commonName[^\t\n]+)"  | eval commonName_Issuer=mvindex(commonName, 0) | eval commonName_Subject=mvindex(commonName, 1) | table _time commonName_Issuer commonName_Subject

Re: Is there a regex syntax for undefined number of characters?

jenniferleenyc — Mon, 25 Jul 2016 21:04:25 GMT

This looks like a search string for Search&Reporting. Can I also put this string in the extraction/transform field?

Re: Is there a regex syntax for undefined number of characters?

sundareshr — Mon, 25 Jul 2016 21:26:53 GMT

If you want the regex for the extraction/transform field, you can use the following in your props & transforms

*props*

[unique_stanza_name]
REPORT-common = commName_extract

*transforms*

[commName_extract]
REGEX=(?<commonName>commonName[^\t\n]+)
MV_ADD = true