topic Re: how can i use rex to match multiple keywords in a file name in Splunk Search

how can i use rex to match multiple keywords in a file name

Tridi123 — Mon, 28 Sep 2020 12:37:54 GMT

i have key words like project, plan ,lease
now if any file name if these key word hits i need to find which keywords have hitted. if my file mane is Project_plan gamil.doc then keywords hitted are project and plan.
MY query is like

mysearch | rex field=source "(?(?i)(project))" | table _time found_project source _raw
but when i am writing like

mysearch | rex field=source "(?(?i)(project|plan|lease))" | table _time found_project source _raw
its not working as the column found_project is only containing Plan or project not those two field together for Project_plan gamil.doc but i want my found_project column contain data like Project,plan
as two key words have been hit.

In java scripts there is one coomand a=string.match(regex);a cloumn will contain all the data that match with regex.I want to do the same with splunk. Can anyone help in this regards.

Re: how can i use rex to match multiple keywords in a file name

MHibbin — Tue, 16 Oct 2012 12:37:45 GMT

You could try the following:

Define your rex:

mysearch | rex field=source "(?<found_project>(?i)(project))"

Create a "match" field:

..| eval match=1

Create a lookup with your keywords and the match column, e.g. for keywords.csv (this will need to be set up on server side):

match,keyword
1,plan
1,lease

I've taken project out as you have already extracted this in the field, so you could always add it back in as another row.

Perform a lookup on the match field to add in your values:

..|lookup keywords match output keyword

This should add all the values to your events, so expand them out:

..|mvexpand keyword

Then filter out any matching events:

..| where match(keyword,found_project)

I have not tested this, but I have used similar solutions before when looking for keywords.

Hope this helps.

Re: how can i use rex to match multiple keywords in a file name

Tridi123 — Wed, 17 Oct 2012 11:47:02 GMT

in which way i will pass the file name
Project_plan.doc because i have to match with filename whether this key words are present in file name or not to lookup query?Can u help once more please

Re: how can i use rex to match multiple keywords in a file name

MHibbin — Wed, 17 Oct 2012 15:06:54 GMT

If you extract the found_project field and project_plan.doc is one of the values for that field. The match will exclude any events that do not match the keyword, other than that I'm not sure I understand the question...

Re: how can i use rex to match multiple keywords in a file name

ayme — Wed, 17 Oct 2012 15:49:36 GMT

Doesn't using max_match do the trick?

... | fields source | rex field=file max_match=999999 "(?<found_project>(?i)(project|plan|lease|someotherterm))" | table _time found_project source

Re: how can i use rex to match multiple keywords in a file name

Tridi123 — Mon, 28 Sep 2020 12:39:27 GMT

if my file name is project_plan_project.doc
then under found project plan is coming twice like
Plan
Project
project

Is there any slution so that project come only once i used dedup but it wont wok. Can u help me?

Re: how can i use rex to match multiple keywords in a file name

ayme — Mon, 28 Sep 2020 12:39:30 GMT

Re: how can i use rex to match multiple keywords in a file name

Tridi123 — Mon, 28 Sep 2020 12:39:44 GMT

thjanks for ur help.I thought about mv expand but it was coming as

project_plan_project.doc project

project_plan_project.doc plan

but my final table will be like

project_plan_project.doc project
plan

that is found_project at last will be multivalued filed
only project will come once.
Is there any query in Splunk for this ?

Re: how can i use rex to match multiple keywords in a file name

Tridi123 — Mon, 28 Sep 2020 12:39:47 GMT

project_plan_project.doc project
plan

Re: how can i use rex to match multiple keywords in a file name

Tridi123 — Sat, 20 Oct 2012 08:16:18 GMT

can nomv help on this requirement??