topic Re: rex expression that match pathname of variable lenght in Splunk Search

rex expression that match pathname of variable lenght

Federica_92 — Mon, 16 Feb 2015 17:05:16 GMT

Hi all,
quick question:
How I can match with rex or regex a regular expression that match all of this field?

[/home/nheffernan/Waratek/apache-tomcat-7.0.52/webapps/host-manager.war]
[/home/nheffernan/Waratek/apache-tomcat-7.0.52/conf/context.xml]
[/home/nheffernan/Waratek/apache-tomcat-7.0.52/webapps/ROOT/META-INF/context.xml]
[/home/nheffernan/Waratek/apache-tomcat-7.0.52/webapps/docs/]
and so on..
These are raw data, and I would like extract a field that contain for each event the pathname
such as: path=/home/nheffernan/Waratek/apache-tomcat-7.0.52/webapps/host-manager.war

Thank you

Re: rex expression that match pathname of variable lenght

richgalloway — Mon, 16 Feb 2015 18:24:09 GMT

Does this work?

rex "\[(?P<path>[^\]]*)\]

Re: rex expression that match pathname of variable lenght

Federica_92 — Tue, 17 Feb 2015 10:05:47 GMT

Thank you,
This one works: rex "[\/(?P[^]]*)]"

But how can I export one csv file that contains only this path?

index=main| rex "[(?P[^]]*)]" | outputlookup users.csv , but in the csv file I would like have only the rex field

Re: rex expression that match pathname of variable lenght

richgalloway — Tue, 17 Feb 2015 13:54:10 GMT

Insert a fields command before the outputlookup. Only the fields listed in the command will be written to the CSV.

Re: rex expression that match pathname of variable lenght

Federica_92 — Tue, 17 Feb 2015 13:57:38 GMT

yeah, but with fields command I have to tell to splunk the name of the rex field...

index=main| rex "[(?P[^]]*)]" | fields name rex field outputlookup users.csv

Re: rex expression that match pathname of variable lenght

richgalloway — Tue, 17 Feb 2015 14:00:49 GMT

So give it a name.

index=main| rex "\[(?P<path>[^\]]*)\]" | fields path | outputlookup users.csv

Re: rex expression that match pathname of variable lenght

Federica_92 — Tue, 17 Feb 2015 14:14:55 GMT

seems works! And last question, how I can add it at my query in the framework?

search: mvc.tokenSafe ("index=waratek source=$sourcename$ File:read | rex '[^*]' | fields path | outputlookup read_rules.csv")

search: mvc.tokenSafe ("index=waratek source=$sourcename$ File:read | rex "[^*]" | fields path | outputlookup read_rules.csv")

I cannot use these ways

Re: rex expression that match pathname of variable lenght

richgalloway — Tue, 17 Feb 2015 14:24:59 GMT

I'm not familiar with the framework. Why can you not use those ways?

Re: rex expression that match pathname of variable lenght

Federica_92 — Tue, 17 Feb 2015 14:26:46 GMT

No your query is perfect, but I have need to use it in the framework : ~)

Re: rex expression that match pathname of variable lenght

esix_splunk — Tue, 17 Feb 2015 14:50:34 GMT

What framework are you referring to?

Re: rex expression that match pathname of variable lenght

Federica_92 — Tue, 17 Feb 2015 14:50:35 GMT

splunk framework

Re: rex expression that match pathname of variable lenght

markthompson — Thu, 26 Feb 2015 10:17:50 GMT

Federica, looking at your framework question, the reason those won't work is because you're not creating the field.

For your reference, it'll benefit you in the long term.

rex "\[(?P<path>[^\]]*)\]"

The < path > part of the rex, creates the field called path

Using the example you supplied, this is missing.

search: mvc.tokenSafe ("index=waratek source=$sourcename$ File:read | rex '[[^*](?.+)]' | fields path | outputlookup read_rules.csv")

Try:

search: mvc.tokenSafe ("index=waratek source=$sourcename$ File:read | rex '\[(?P<path>[^\]]*)\]' | fields path | outputlookup read_rules.csv")

Credit to @richgalloway for the rex statement.