topic Re: REGEX match on multiple conditions help in Splunk Search

REGEX match on multiple conditions help

roguepacket — Fri, 30 Mar 2012 15:54:19 GMT

I need help with a REGEX that needs to match multiple conditions in a log event.

The event looks like this:

02:02:02.000 AM 
Mar 30 02:02:02 servername1 Oracle Audit[2225]: SESSIONID: "123456789" ENTRYID: "*****" USERID: "ABC" USERHOST: "server2"  OBJ$CREATOR: "LMN" OBJ$NAME: "value1" SES$ACTIONS: "--**********-" OS$USERID: "someusername"

I need to send events to the nullQueue when all of the following conditions are met:

USERHOST: "server2"
OS$USERID: "someusername"
USERID: "ABC"

This is the REGEX that I have in place, but doesn't seem to be working:

REGEX = (?s)(OS\$USERID:\s.someusername.).+?(USERHOST:\s.server2.).+?(USERID:\s.ABC.)

Any ideas on how to correct my failing regex?
THanks

Re: REGEX match on multiple conditions help

Ayn — Fri, 30 Mar 2012 16:07:49 GMT

Well since you put the "OS$USERID" match first of all in regex, but it's the last part of the event you're matching against, the whole regex will fail. You need to put the matching groups in the correct order. In your event, USERID comes first, followed by USERHOST and OS$USERID. So, something like this should work:

REGEX = (?s)(USERID:\s.ABC.).+?(USERHOST:\s.server2.).+?(OS\$USERID:\s.someusername.)

Re: REGEX match on multiple conditions help

roguepacket — Fri, 30 Mar 2012 17:01:13 GMT

Worked perfectly! Thanks for your quick answer!

Re: REGEX match on multiple conditions help

the_wolverine — Tue, 14 Oct 2014 18:15:19 GMT

What is the purpose of (?s)

The regex did not work for me when I used it. Works fine without it (for me).

Re: REGEX match on multiple conditions help

landen99 — Fri, 17 Jul 2015 12:26:58 GMT

"?" changes the "+" from greedy to lazy. Lazy means match as few as possible. Greedy means match as many as possible.