Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

'AND' operator in Regular Expressions

Michael_Schyma1
Contributor
‎11-26-2012 06:14 AM

I am trying to only select the data that has Directory Administrators OR Master Web Resource Admins AND I want that data to have MOD in it. So the main part that i am missing here is what operator says AND in regular expressions and send all other data to nullQueue. The pipe between Master Web Resource Admins and the selection of the three numbers is wrong. I need to figure out how to get something that says AND in there. 

#CID_LDAP
[setnullldap]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsingldap]
REGEX = (?:Directory Administrators)|(?:Master Web Resource Admins)|([0-9][0-9][0-9]\s+(:?MOD)\W+)
DEST_KEY = queue
FORMAT = indexQueue

Below is an example of the raw data that is being passed into Splunk:

[19/Nov/2012:11:37:10 -0500] conn=8813 op=416 MOD dn="obname=201211104775926,obname=20121011230424,obapp=PSC,o=Oblix,o=scope"

[19/Nov/2012:11:37:10 -0500] conn=8813 op=416 RESULT err=0 tag=103 nentries=0 etime=0 csn=50aa60ef00000

[19/Nov/2012:11:37:10 -0500] conn=883 op=417 SRCH base="obapp=PSC,o=Oblix,o=scope" scope=1 filter="(objectClass=oblixGSN)" attrs="obSeqNo"

[19/Nov/2012:11:37:10 -0500] conn=8813 op=417 RESULT err=0 tag=101 nentries=1 etime=0 Directory Administrators
Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎08-29-2014 12:07 PM

You can an OR condition in REGEX
REGEX = {something|differentthing)

Or you can use multiple successive transforms to send to the parsing queue.


[myldapsourcetype]
TRANSFORMS-filterevents = setnullldap, setparsingldap_admin, setparsingldap_mod

0 Karma
Reply

wpreston
Motivator
‎11-26-2012 07:44 AM

Would something like this work for you?

op=(?<Feild1>\d+)\sMOD\s.*(?:o=\sDirectory\sAdministrators|o=\sMaster\sWeb\sResource\sAdmins)

I'm using a capturing group for the digits and a non capturing group for the Admins search, but it's simple to change that to a capturing group if need to use it for field extraction. Also, I'm not sure if the space in front of Directory Administrators (and by extension: Master Web Resource Admins) is intentional or not, so please remove it if it shouldn't be there.

Reply

Michael_Schyma1
Contributor
‎11-26-2012 06:48 AM

[19/Nov/2012:11:37:10 -0500] conn=8813713 op=416 MOD dn="obname=20121119T09404775926,obname=20121010T07001230424,obapp=PSC,o=Oblix,o= Directory Administrators"

MOD will come first. If any additional information is needed, just let me know. Thank you so much

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎11-26-2012 06:42 AM

Can you provide a sample line that should be indexed? That is, it matches your stated criteria? The key bit will be the relative position of your selection strings vs. the MOD string (whether it comes before or after...).

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...