topic Re: Search for mutiple values using rex and store them in a same single field in Splunk Search

Search for mutiple values using rex and store them in a same single field

ppurokit — Wed, 06 Nov 2013 09:59:19 GMT

Im looking to achieve the following using Rex.

Below is the search query which im trying to run

sourcetype=XXXXXX (-1XXXXX OR -1XXXXX) | rex "access-list\s+(?[a-zA-Z0-9.-]+)" | rex "access-group\s+\"?(?[A-Za-z.-]+)\"?"

rex "access-list\s+(?[a-zA-Z0-9._-]+)"

rex "access-group\s+\"?(?[A-Za-z.-_]+)\"?"

I know that i can store these results in two different variables.

But i want to combine them into a single rex and store the output of these two rex into a single variable "Access" itself.

Please let me know on how to achieve this functionality?

Please share your thoughts on this.

martin_mueller — Wed, 06 Nov 2013 10:27:48 GMT

You can combine the two regular expressions by OR'ing the prefixes using the pipe symbol: access-lists+|access-groups+

ppurokit — Wed, 06 Nov 2013 11:02:03 GMT

Hi,

Tried the following and i dont see the "access" variable getting generated by the regex

sourcetype=XXXXXX (-1XXXXX OR -1XXXXX) | rex "(access-list|access-group)\s"?(?[A-Za-z.-0-9]+)"?"

Im getting an splunk error "Unknown search command 'a'."

martin_mueller — Wed, 06 Nov 2013 11:06:38 GMT

Make sure there were no \d, \s, etc. lost in the formatting of splunkbase.