topic Re: REX Question in Splunk Search

REX Question

subtrakt — Thu, 13 Nov 2014 22:19:57 GMT

rex "(?i)\].*(?<test1>([^ ]* ){5})"

I want to avoid numbers being returned but i don't want to avoid the results with numbers in them.

I'm thinking i need to put this in the regex somewhere but haven't had any luck so far.

\D+ or [^0-9]

Re: REX Question

aljohnson_splun — Thu, 13 Nov 2014 22:32:30 GMT

Can you give an example of the data you're matching against ?

Re: REX Question

cpetterborg — Thu, 13 Nov 2014 22:33:35 GMT

Can you provide some example events and what you want to extract from them?

Re: REX Question

subtrakt — Fri, 14 Nov 2014 00:39:32 GMT

The query needs to be a catch all for multiple log types like Cisco juniper and Unix

Re: REX Question

aljohnson_splun — Fri, 14 Nov 2014 01:01:14 GMT

Just post a few single events from a few different types, and specify what you're trying to extract. Otherwise this question is pretty much impossible to answer with any confidence.

Re: REX Question

subtrakt — Fri, 14 Nov 2014 13:17:26 GMT

Sure,

2014-11-14 12:52:59:[ INFO]:- batman.java1 length of 25 error :0:

For above scrape 45, 25 and 1 from the field result and have it look like this

"batman.java length of error"

Re: REX Question

tom_frotscher — Fri, 14 Nov 2014 14:23:36 GMT

Hi,

here is a run everywhere example, just copy and paste it in your splunk search bar. Is this what you want?

| stats count | eval line="2014-11-14 12:52:59:[ INFO]:- batman.java1 length of 25 error :0:" | rex field=line max_match=0 "(?<test1>[a-zA-Z]+)" | mvcombine test1

Re: REX Question

jrodman — Fri, 14 Nov 2014 16:16:26 GMT

Is the goal here to match terms that have a minimum of one alpha character?

What about something like (\w*[A-Za-z]+\w*)

Re: REX Question

subtrakt — Fri, 14 Nov 2014 23:32:53 GMT

Thanks. What is the mvcombine doing?

Re: REX Question

tom_frotscher — Sat, 15 Nov 2014 11:08:11 GMT

The rex command extracts multiple words from the string and puts them into the field test1. Because there are multiple values, the field then is a so called multi value field. Mvcombine transforms mvfields to normal fields.