topic Re: How can you do OR statements in rex? in Splunk Search

How can you do OR statements in rex?

jambajuice — Mon, 24 Jan 2011 15:00:21 GMT

I'm trying to write a regex expression that extracts a field that ends in either a new line or a ":". I am trying to write the equivalent of (\n|:). When I use that kind of regex in a transforms.conf or props.conf file, it works fine. When I use it in a search command, it always treats the "|" OR symbol as a search pipeline. Is there any way to escape it using rex so that Splunk will treat it like an "OR"?

Thx.

Craig

Re: How can you do OR statements in rex?

Ayn — Mon, 24 Jan 2011 15:30:55 GMT

The reason Splunk treats the "|" symbol as a search pipeline is most likely because you're not putting your regex inside quotes. You're probably doing something like this:

yoursearch | rex field=_raw (?<yourfield>\n|:)

whereas you should be doing it like this:

yoursearch | rex field=_raw "(?<yourfield>\n|:)"

Re: How can you do OR statements in rex?

jambajuice — Mon, 28 Sep 2020 09:23:35 GMT

I have a field called "results" that looks like one of the following:

192.168.250|192.168.250.83|unknown (57753/udp)

192.168.250|192.168.250.83|snmp (161/udp)|14274|

I'm trying to extract the service name and ports, such as "ssh (22/tcp)". Some extractions end with a new line, others with a |.

My rex is: rex field=results max_match=400 "(?i)\d+.\d+.\d+|\d+.\d+.\d+.\d+|(?P[^|]+)

Re: How can you do OR statements in rex?

jambajuice — Mon, 24 Jan 2011 16:10:25 GMT

But for some reason when I display the results in a table, the values that do not end with |5 digits| appear as: unknown(5774/udp) 192.168.250. So, it looks like it is grabbing the next line up until the "|".

How do I tell rex to end the match on either a "|" or a new line character?

Thx.

Re: How can you do OR statements in rex?

jambajuice — Mon, 24 Jan 2011 18:01:23 GMT

Putting the regex in quotes didn't help. I used the following lookbehind assertion to solve the problem:

(?<=))

Re: How can you do OR statements in rex?

Paolo_Prigione — Mon, 24 Jan 2011 21:45:06 GMT

Lookbehinds are not particularly performant. Why not define your regex such as:

"\|(?<service_name>\w+\([^\)]+\))"

thus terminating the extraction at the closing parenthesis?

If else, you need a simple choice between one or more single characters, you can use a char class:

[\n:]

matches either a new line or a column.