Re: Need help to write regex.

vaibhavbharadwa · ‎08-01-2019

I have 2 sets of logs. I am supposed to extract the content between the last 2 '#' among the below logs.
Please help.

<12>Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#

<12>Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #

information which is written in Bold needs to be extracted into a field called as 'message'

I tried with the following regex :
(?(field_name_with_angular_brackets)User..\s.)

Please let me know how to do this.

Also please let me know how to combine regex of 2 fields into a single field.

jpolvino · ‎08-01-2019

Another option with just 1 step:

(your search) | rex "#\s(?!.*# )(?<message>[^#]+)#$"

Then if you want to create a new field from two others, just use a period between them.

...
| eval f1="abc"
| eval f2="123"
| eval f3=f1.f2
| eval f4=f1."_".f2

So f3 will be abc123 and f4 will be abc_123

woodcock · ‎08-01-2019

Like this:

| makeresults 
| eval raw="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#:::Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "#\s*(?<message>[^#]+)\s*#\s*$"

niketn · ‎08-01-2019

@vaibhavbharadwaj try the following regular expression

|  rex "\#\s*(?<message>[^\#]+)\s*#$"

Following is a run anywhere example based on the sample data provided. Please try out and confirm!

|  makeresults
|  fields - _time
|  eval data="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#;Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #"
|  makemv data delim=";"
|  mvexpand data
|  rename data as _raw
|  rex "\#\s*(?<message>[^\#]+)\s*#$"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

mydog8it · ‎08-01-2019

Do you have access to the search heads to modify the transforms and props.conf files?

saurabhkharkar · ‎08-01-2019

| makeresults
|eval string="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#"
| rex mode=sed field=string "s/\#*$//"
| rex field=string "(?<message>[^\#]*$)"
| table string message

Explanation : 

| rex mode=sed field=string "s/\#*$//" -> replaces the last # with nothing
| rex field=string "(?<message>[^\#]*$)" -> captures everything after the last # and dumps it in a new field 'message'

Need help to write regex.

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?

Need help to write regex.

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...