topic Re: Regex Issue using Rex command in Splunk Search

Regex Issue using Rex command?

POR160893 — Thu, 22 Sep 2022 15:23:06 GMT

Hi,

I have a field X with values similar to the following "device-group APCC1_Core_Controller pre-rulebase application-override rules NFS-bypass UDP-1" and "device-group APCC1_Core_Controller pre-rulebase application-override rules" as 2 examples of possible values.

I need to extract the value in between "device_group" and "per_rulebase...." and assign this as Y.
So, if X = "device-group APCC1_Core_Controller pre-rulebase application-override rules NFS-bypass UDP-1"
=> Y = "APCC1_Core_Controller"

If X = "device-group APCC1_Core_Controller pre-rulebase application-override rules"
=> Y = "APCC1_Core_Controller".

What would the rex command be???

Thanks,

Re: Regex Issue using Rex command

Azeemering — Thu, 22 Sep 2022 11:55:53 GMT

1. What have you tried yourself?

2. Can you provide the full event so that I can make an example for you.

Re: Regex Issue using Rex command

POR160893 — Thu, 22 Sep 2022 12:04:21 GMT

The full event is as follows:

1,2022/09/22 10:01:40,013101004778,SYSTEM,general,2561,2022/09/22 10:01:40,,general,,0,0,general,informational,"Panorama push device-group APCC1_Core_Controller with merge-with-candidate-cfg flags set.JobId=60265.User=Panorama-admjeen_yeong_choong. Dequeue time=2022/09/22 10:01:39. DG version: APCC1_Core_Controller: 11854. ",7136408369296042839,0x8000000000000000,0,0,0,0,,apcc1pafwcc01,0,0,2022-09-22T10:01:40.203+00:00

Re: Regex Issue using Rex command

yuanliu — Thu, 22 Sep 2022 18:15:12 GMT

extract the value in between "device_group" and "per_rulebase...." and assign this as Y

I speculate that "per_rulebase" is a mistype for "pre_rulebase" as mentioned elsewhere in the OP. The problem is that this "pre_rulebase" or "per_rulebase" does not seem to be a literal string, according to the sample event; it appears to be an application/industry specific term related to this source, something like "with merge-with-candidate-cfg flags". If this correct, you cannot expect people in a Splunk forum to intuit what "pre_rulebase" (or per_rulebase) stands for.

On superficial observation, the "Y" you are trying to extract is really just the name of device group. If this name cannot contain spaces, you can simply do

| rex "device_group (?<device_group>\S+)"

If the name may contain space, but the "pre_rulebase" always begins with keyword "with" as exemplified in the sample event, you can do something like

| rex "device_group (?<device_group>.+) with "

Of course, this second form has a larger chance of overreaching because the word "with" may appear in some other content of the event. You have to find some pattern to reduce such chances.

Re: Regex Issue using Rex command?

POR160893 — Fri, 23 Sep 2022 13:08:00 GMT

So, say I have a field called "M" and some of the values are as follows:

"Panorama push to device:013101010578 for device-group: Durham_IPV6_INET_SVCS succeeded. JobId=2480530"

"Panorama push to device:007257000068919 for device-group: Azure-China-Internet-North succeeded. JobId=2480524"

"Panorama push to device:016401009013 for device-group: Austin_Experience_Lounge succeeded. JobId=2480530"

How can I extract just the first string in between each "....device-group: *** succeeded. ....", where *** represents the respective value to be extracted. In the case of the above 3 examples, the 3 values extracted are "Durham_IPV6_INET_SVCS", "Azure-China-Internet-North" and "Austin_Experience_Lounge" respectively.

I tried using the following Splunk command but got no success 🙄:
|rex "body\s(?<portNumber>\d+)\s"

Can you please help?

Re: Regex Issue using Rex command?

POR160893 — Fri, 23 Sep 2022 13:08:29 GMT

Any help?

Re: Regex Issue using Rex command?

POR160893 — Fri, 23 Sep 2022 13:59:12 GMT

At the moment, I have got this far:

However, I do not want to have "device-group:" included as part of the values.
How can I change my regex?

Re: Regex Issue using Rex command?

yuanliu — Fri, 23 Sep 2022 17:07:06 GMT

If you don't want device-group, don't include it in the parenthesis. Also, \w is incorrect for your data because your group name often includes dashes as illustrated. See my other post.

| rex "device-group (?<device_group>\S+)"

Re: Regex Issue using Rex command?

youngsuh — Fri, 23 Sep 2022 17:45:32 GMT

regex101: build, test, and debug regex

Please take a look at this link. I suggestion use regex101 before put them into splunk.

Re: Regex Issue using Rex command?

yuanliu — Fri, 23 Sep 2022 17:30:19 GMT

Ok, there's a colon after "device-group". So add that.

| rex "device-group: (?<device_group>\S+)"