topic Re: Matching Two Strings in Field Extraction in Splunk Search

Matching Two Strings in Field Extraction

kederart — Fri, 11 Jan 2013 14:44:25 GMT

I am trying to match two separate strings for one field extraction. When setup separately they would look like...

(?i)^[^*#\d+\s+(?P< a >[^]+)

and

(?i)^(?:[^\-]*\i{2}\d+\s+(?P< b >[^]+)

I combined them by simply placing a pipe in between the two strings. The problem is Splunk will only pick up whichever value has a, and the b value will be lost. I can switch a and b and the values picked up will switch, but I cannot get the combination of both. I also cannot name both a as that is against Splunk conventions. Is this possible to accomplish? What am I missing here? Thanks.

Re: Matching Two Strings in Field Extraction

kederart — Fri, 11 Jan 2013 14:54:48 GMT

The only solution I've found so far is adding a second field extraction that both search on a. However, we have multiple logs and this could get cluttered when we start adding more searches. Would prefer to keep it as one search.

Re: Matching Two Strings in Field Extraction

Ayn — Fri, 11 Jan 2013 15:29:38 GMT

Why not have two field extractions?

Re: Matching Two Strings in Field Extraction

kederart — Fri, 11 Jan 2013 15:53:41 GMT

We have a dozen or so logs and we are doing multiple field extractions for each log. If we keep doing multiple field extraction for "a" then we are going to be cluttered with 6-10 searches per log. Our goal is to cut down on the clutter.

Re: Matching Two Strings in Field Extraction

Ayn — Fri, 11 Jan 2013 15:58:08 GMT

I'm not sure I follow. Why would you need multiple searches to perform multiple field extractions? There are usually loads of field extractions taking place for each event in a search.

Re: Matching Two Strings in Field Extraction

kederart — Fri, 11 Jan 2013 16:10:38 GMT

Sorry for the confusion. We want to search for a name (example a), however the name isn't always coming up as other names are being formatted in the second way (example b). We want a way to search for all the names without having multiple field extractions. I thought we could do that by piping the two searches together. We don't want to have name1, name2, name3 for field extractions because it's going to become cluttered and a little difficult to manage. Does that make more sense?

Re: Matching Two Strings in Field Extraction

jameshgibson — Fri, 11 Jan 2013 17:30:13 GMT

can you not change the regex to:

(?i)^([^*#]\d+\s+|(?:)[^\-]*\i{2}\d+\s+)(?P<a>[^]+)

this should match (?P<a>[^]+) when preceded by either (?i)^[^*#]\d+\s+ or (?i)^(?:)[^\-]*\i{2}\d+\s+

that is assuming you are missing a closing [ and ) in the expressions in your question.

Re: Matching Two Strings in Field Extraction

Ayn — Fri, 11 Jan 2013 18:54:14 GMT

Fair enough, but I think the easiest thing still would be to have multiple field extractions - you can still use the same field name for your extraction, it's just different ways of arriving at the extracted field. So you wouldn't have to mess with name1, name2 etc, you can just extract everything to name.