topic Re: splunk query to use regex on the basis of if statement. in Splunk Search

How to write a query to use regex on the basis of if statement?

Abhineet — Tue, 13 Jun 2023 13:49:43 GMT

HI,

I am looking for splunk query to use regex on the basis of if statement.

Query:

index=jfrog_index "org.artifactory.security.AccessLogger" NOT "127.0.0.1"
| rex field=_raw ".*AccessLogger \[(?<action>[\w\s]+)\].*"|dedup action|search action = "ACCEPTED*" | table action

OUTPUT:

action

ACCEPTED DOWNLOAD

ACCEPTED LOGIN

ACCEPTED DELETE

ACCEPTED DEPLOY

ACCEPTED UPDATE

ACCEPTED PROPERTY_UPDATED

ACCEPTED CONFIGURATION_CHANGE

ACCEPTED BUILD_CREATE

i want to use separate regex on the basis of action value with if condition so event matches with action mentioned above apply particular regex and filter out the information.

As on the basis of action event format is different.

for example:

if (action = "ACCEPTED DOWNLOAD",<regex1>)

if(action = "ACCEPTED LOGIN", <regex2>)

regex1 = .*[\s]+\d+ (?<time>[\d:]+) (?<HOST>[\w\d]+) \[(?<date>[\d-]+)T.*\].*AccessLogger \[.*\] (?<repo>[\w-]+):(?<package>.*) for client : (?<user>[\_\w\-\d]+) \/ (?<userIp>.*)\.

Provide me Splunk query for above example to extract information for different format event for different action type.

Thanks

Abhineet Kumar

Re: splunk query to use regex on the basis of if statement.

gcusello — Mon, 12 Jun 2023 16:29:22 GMT

Hi @Abhineet,

make the two regex extractions and then the if condition, something like this:

| rex ".*[\s]+\d+ (?<time1>[\d:]+) (?<HOST1>[\w\d]+) \[(?<date1>[\d-]+)T.*\].*AccessLogger \[.*\] (?<repo1>[\w-]+):(?<package1>.*) for client : (?<user1>[\_\w\-\d]+) \/ (?<userIp1>.*)\." | rex ".*[\s]+\d+ (?<time2>[\d:]+) (?<HOST2>[\w\d]+) \[(?<date2>[\d-]+)T.*\].*AccessLogger \[.*\] (?<repo2>[\w-]+):(?<package2>.*) for client : (?<user2>[\_\w\-\d]+) \/ (?<userIp2>.*)\." | eval time=if(action="ACCEPTED DOWNLOAD",time1,time2), HOST=if(action="ACCEPTED DOWNLOAD",HOST1,HOST2), ...

you didn't shared regex 2, so I used the same regex to display the approach.

Ciao.

Giuseppe

Re: splunk query to use regex on the basis of if statement.

Abhineet — Mon, 12 Jun 2023 16:38:01 GMT

HI @gcusello !

For all "action" we have separate regex, we want to use regex inside if condition on the basis of "action" matched.

so that it extract information from event that belongs to particular "action".

for example:

if (action = "ACCEPTED UPDATE", <apply regex3 to events matches with action)

if condition satisfied for event apply regex on that event, if not satisfied for event nothing to do.

Thanks

Abhineet

Re: splunk query to use regex on the basis of if statement.

inventsekar — Tue, 13 Jun 2023 04:43:24 GMT

Hi @Abhineet .. running rex inside if condition looks like not possible.. but you can do like.. run two rex and then use the if condition to select your fields. (I just copy paste gcusello's SPL, adding ur base query)

pls update your rex2 and then whats your if condition requirement, then we can edit this SPL to match your requirement.

index=jfrog_index "org.artifactory.security.AccessLogger" NOT "127.0.0.1" | rex field=_raw ".*AccessLogger \[(?<action>[\w\s]+)\].*"|dedup action|search action = "ACCEPTED*" | rex ".*[\s]+\d+ (?<time1>[\d:]+) (?<HOST1>[\w\d]+) \[(?<date1>[\d-]+)T.*\].*AccessLogger \[.*\] (?<repo1>[\w-]+):(?<package1>.*) for client : (?<user1>[\_\w\-\d]+) \/ (?<userIp1>.*)\." | rex ".*[\s]+\d+ (?<time2>[\d:]+) (?<HOST2>[\w\d]+) \[(?<date2>[\d-]+)T.*\].*AccessLogger \[.*\] (?<repo2>[\w-]+):(?<package2>.*) for client : (?<user2>[\_\w\-\d]+) \/ (?<userIp2>.*)\." | eval time=if(action="ACCEPTED DOWNLOAD",time1,time2), HOST=if(action="ACCEPTED DOWNLOAD",HOST1,HOST2),

Re: splunk query to use regex on the basis of if statement.

gcusello — Tue, 13 Jun 2023 06:32:25 GMT

Hi @Abhineet ,

as @inventsekar said, it isn't possible to insert a regex in an if statement, the only approach is the one I described, or the solution from @inventsekar .

Ciao.

Giuseppe