Append string to end of log file if regex match is...

jazzijeff · ‎11-30-2021

Im trying to get a way to have SED (via search) append a string to the raw log in the results window if a condition is met anywhere in the raw log file - in the example below if i find any series of six numbers

index=* | rex mode=sed "s/(?<myTest>[0-9]{1,6})/\2<myTestFound>/g

What i would like is the following -and note the "<myTestFound>" at the end

<MyData>"This is my raw log with 123456 present and 987654 also present</MyData><myTestFound>

But all i have been able to do so far is

<MyData>"This is my raw log with 123456<myTestFound> present and 987654<myTestFound> also present</MyData>

Can anyone give me some assistance in getting the first option going? thanks

PickleRick · ‎11-30-2021

What do you mean by "end of log"? Splunks returns results from search (and operates on them with streaming commands) one event at a time.

Futrthermore, rex's sed doesn't accept any other modifiers than "g" or a number which means that it won't work in multiline mode. So best you can do with sed-mode is append a string at the end of the line. It's meant for data anonymization rather than some fancy sed-voodoo.
If you only want to append a string to the end of the event, why don't you just do eval appending said string to the _raw field?

ITWhisperer · ‎11-30-2021

| rex mode=sed "s/(?<myTest>[0-9]{1,6}.*)/\1<myTestFound>/g"

Append string to end of log file if regex match is true

regex

rex

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...