https://community.splunk.com/t5/Splunk-Search/Another-regex-issue/m-p/315445#M94426 <P>The rex needs the name of the field you are making. So try something like:</P> <PRE><CODE>sourcetype=WinEventLog:Security host=* | rex field=EventCode "(?P&lt;EventID&gt;(486[8-9]|48[7-9][0-9]|4900))" </CODE></PRE> Tue, 18 Jul 2017 15:05:46 GMT cpetterborg 2017-07-18T15:05:46Z https://community.splunk.com/t5/Splunk-Search/Another-regex-issue/m-p/315443#M94424 <P>I'm trying to collate groups of Windows EventIDs into categories and use regex to filter a range of them. I cannot get this to work, either I get errors saying the regex cannot do anything or I get all EventIDs like the regex was completely ignored. Here's an example: EventIDs 4868-4900 are for MS Certificate Services, so I'd like to find all of them and create an eventtype for that. Here is my search string:</P> <P>sourcetype=WinEventLog:Security host=* | rex field=EventCode "(486[8-9]|48[7-9][0-9]|4900)"</P> <P>Please help... I'm new to regex and so far hate it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 18 Jul 2017 14:30:06 GMT https://community.splunk.com/t5/Splunk-Search/Another-regex-issue/m-p/315443#M94424 ldgrube 2017-07-18T14:30:06Z https://community.splunk.com/t5/Splunk-Search/Another-regex-issue/m-p/315444#M94425 <P>I think you're using the wrong command. The <CODE>rex</CODE> command extracts data from a field using regular expressions. To filter events using a regular expression, try the <CODE>regex</CODE> command.</P> <PRE><CODE>sourcetype=WinEventLog:Security host=* | regex field=EventCode "(486[8-9]|48[7-9][0-9]|4900)" </CODE></PRE> Tue, 18 Jul 2017 15:02:21 GMT https://community.splunk.com/t5/Splunk-Search/Another-regex-issue/m-p/315444#M94425 richgalloway 2017-07-18T15:02:21Z https://community.splunk.com/t5/Splunk-Search/Another-regex-issue/m-p/315445#M94426 <P>The rex needs the name of the field you are making. So try something like:</P> <PRE><CODE>sourcetype=WinEventLog:Security host=* | rex field=EventCode "(?P&lt;EventID&gt;(486[8-9]|48[7-9][0-9]|4900))" </CODE></PRE> Tue, 18 Jul 2017 15:05:46 GMT https://community.splunk.com/t5/Splunk-Search/Another-regex-issue/m-p/315445#M94426 cpetterborg 2017-07-18T15:05:46Z https://community.splunk.com/t5/Splunk-Search/Another-regex-issue/m-p/315446#M94427 <P>that is getting closer... at least I get data now... I'm just getting too many codes that don't fit between those numbers 4868-4900.</P> <P>anything like:<BR /> 1....538...540....56x,...57x..... 46xx......47xx......48xx.....49xxxx.... 50xx.....51xx.....61xx.....62xx.....82xx</P> <P>tried many variations of something like:</P> <P>sourcetype=WinEventLog:Security host=* | rex field=EventCode "(?P((48(6[8-9])|[7-9][0-9])|4900))"</P> <P>if I dump: (48(6[8-9])|[7-9][0-9])|4900 into an online regex tester...it gives me the right range 4868-4900... I'm not sure where I'm causing splunk grief in the syntax <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 18 Jul 2017 20:06:21 GMT https://community.splunk.com/t5/Splunk-Search/Another-regex-issue/m-p/315446#M94427 ldgrube 2017-07-18T20:06:21Z https://community.splunk.com/t5/Splunk-Search/Another-regex-issue/m-p/315447#M94428 <P>Why using rex / regex at all? If EventCode is integer already, just use the rangemap command.</P> <PRE><CODE>| makeresults | eval EventCode="12,4868,5000,4900" | makemv delim="," EventCode | mvexpand EventCode | rangemap field=EventCode lower_end=0-4867 "MS Cert"=4868-4900 upper_end=4901-99999 | search range="MS Cert" </CODE></PRE> <P>gives you back 4868 and 4900 from the test input.</P> Wed, 19 Jul 2017 11:08:04 GMT https://community.splunk.com/t5/Splunk-Search/Another-regex-issue/m-p/315447#M94428 knielsen 2017-07-19T11:08:04Z