topic Re: regex help in Splunk Search

regex help

mariof — Fri, 22 Jun 2012 15:41:23 GMT

Hi,
I'm new to Splunk so hope:
1) I'm not asking a stupid question
2) someone can help

Anyway, I want to extract a hostname and user name from a "source" at search time.
I know I need to "| rex field=source" but can't figure out the syntax as yet.

the source I have is in the following format:
/export/Data/History/servername_user

Kind Regards

Mario

Re: regex help

MHibbin — Fri, 22 Jun 2012 16:06:50 GMT

rex field=source "(?i)\/export\/data\/history\/(?P<hostName>\w+)\_user"
I believe should do it..

You can also use the IFX (Interactive Field Extractor) to help with you extractions/regex.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX

Note, that rex will not make a permanent field, only one that exists in the context of the present search string.

This reference is pretty good for regex

http://www.regular-expressions.info/reference.html

Regards,

Matt

Re: regex help

mikelanghorst — Fri, 22 Jun 2012 16:36:33 GMT

I'd probably use:
rex field=source "(?i)\/export\/data\/history\/(?P[^_]+)_(?\w+)"

Splitting out both host and user

Re: regex help

mariof — Mon, 25 Jun 2012 09:54:24 GMT

Thank you both for your help (so far).
I was hoping to use the hostname and user in a table, would that be possible considering that these variables are not permanent?