topic Re: Regex refining in Splunk Search

Regex refining

Karthikeya — Thu, 10 Apr 2025 11:56:07 GMT

Regex

Please tell me what will be the best and effective way to write regex here:

"vs_name":"v-juniper-uat.opco.sony-443",

Need to extract juniper-uat.opco.sony from every event as FQDN.

I am writing the below regex and it worked. Please tell me is this good or any suggestions you give for more reliable?

|rex "vs_name\"\:\"[^\/]\-(?<fqdn>[^\/]+)\-\d+\"\,"

Re: Regex refining

gcusello — Thu, 10 Apr 2025 12:18:05 GMT

Hi @Karthikeya ,

if it's runs it's correct!

anyway I'd use this:

| rex "vs_name\"\:\"\w\-(?<fqdn>[^-]+)-\d+"

Ciao.

Giuseppe

Re: Regex refining

kiran_panchavat — Thu, 10 Apr 2025 12:29:34 GMT

@Karthikeya

Check this

Re: Regex refining

Karthikeya — Thu, 10 Apr 2025 12:32:26 GMT

Hi @gcusello ,

For some reason, the provided regex is not working. Can you please re check?

Re: Regex refining

Karthikeya — Thu, 10 Apr 2025 12:33:34 GMT

@kiran_panchavat always v is not guaranteed before fqdn as per user

Re: Regex refining

kiran_panchavat — Thu, 10 Apr 2025 12:37:36 GMT

@Karthikeya

if the "v-" prefix is not guaranteed, then your regex needs to be updated

Re: Regex refining

livehybrid — Thu, 10 Apr 2025 14:14:51 GMT

Hi @Karthikeya

Does the following work well for you? This allows v- to be optional:

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Regex refining

gcusello — Thu, 10 Apr 2025 14:48:17 GMT

Hi @Karthikeya ,

please try this:

| rex "vs_name\":\"\w-(?<fqdn>.+)-\d+"

that you can test at https://regex101.com/r/TDLukW/1

Ciao.

Giuseppe

Re: Regex refining

Karthikeya — Thu, 10 Apr 2025 16:06:41 GMT

@gcusello this is working. and how to make this extraction at index time I mean while indexing this field should be extracted? Please guide me.

Re: Regex refining

kiran_panchavat — Thu, 10 Apr 2025 18:19:25 GMT

@Karthikeya

Apply the below configurations for the index time field extractions.

props.conf

transforms.conf

I have uploaded the sample events to my lab environment and applied the above configurations. The fqdn field was successfully extracted. Please refer to the screenshot below

Sample events:

{"timestamp":"2025-04-10T12:34:56Z", "vs_name":"v-juniper-uat.opco.sony-443", "status":"active"}
{"timestamp":"2025-04-10T12:35:01Z", "vs_name":"qa-nginx-dev.opco.abc-8443", "status":"active"}
{"timestamp":"2025-04-10T12:35:06Z", "vs_name":"prod-apache.opco.xyz-9443", "status":"inactive"}
{"timestamp":"2025-04-10T12:35:10Z", "vs_name":"test-web1.opco.something-8080", "status":"active"}
{"timestamp":"2025-04-10T12:35:15Z", "vs_name":"edge-juniper-uat.opco.sony-443", "status":"active"}

NOTE:

If you use heavy forwarders, the props.conf and transforms.conf changes should be applied to the heavy forwarders instead of the indexers.

Re: Regex refining

PickleRick — Thu, 10 Apr 2025 18:31:41 GMT

Don't use indexed extractions! Unless you have a very good reason for it (if you don't know what reason that would be you probably don't have one). Just define a proper search-time extracted field.

Re: Regex refining

gcusello — Fri, 11 Apr 2025 06:02:43 GMT

Hi @Karthikeya ,

are you sure that you want to apply this extraction at index time?

this means a greater job for indexers and this usually depends on the volume of indexed logs for extractions, how many logs must you index daily and in the peak period?

here, you can find a comparation between the two modes and a description: https://docs.splunk.com/Documentation/Splunk/9.4.1/Indexer/Indextimeversussearchtime

Ciao.

Giuseppe