Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I want to tag events based on a regex

paulbruno
Engager
‎05-06-2014 06:18 AM

Example: If the event's source field the word FOO i want to tag it as foo.
If the event contains XML ( i.e. <(.?)>.<(\1)> ) I want to be able to tag it XML.

This way I can do queries like tags:XML and it will only return events I have tagged as XML.

I can easily do this in other logging solutions such as logstash but I can't seem to find a way to do it in Splunk. Thanks.

Tags (2)
0 Karma
Reply

paulbruno
Engager
‎05-06-2014 02:20 PM

Answering my own question: Since eventtypoes can't handle a regex....

I created an extraction regex that matches opening/closing elements and perform a subquery on that field

| rex field=_raw "(?s)<(?<xml>\w+?.*?)>.*</\\g{1}>" | search xml=*

Won't catch singular empty elements (i.e. ) but its good enough for my purposes

Hope this might help someone some day 🙂

0 Karma
Reply

lguinn2
Legend
‎05-06-2014 11:16 AM

Use an eventtype to define a search for FOO or XML or whatever. Search using the eventtype

eventtype=FOO

or whatever you named it. You can also tag eventtypes, so if you give the FOO eventtype a tag, you can use that tag to search

tag=FOO

assuming that you named the tag FOO

More info: Create an Eventtype

0 Karma
Reply

paulbruno
Engager
‎05-06-2014 11:20 AM

Hi I appreciate the response. My FOO is not a constant string, it could be a REGEX like the one I am using to search for matching XML elements. Also it needs to go against the source field, not _raw.

Am I able to do this?

tag=<(.?)>.<(\1)>

e: seems this form is stripping asterix and other special characters I am unable to post the exact regex here.

0 Karma
Reply

paulbruno
Engager
‎05-06-2014 06:27 AM

should read: " If the event's source field CONTAINS the word..." I am unable to edit my post because this sites captchas don't work.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...