Splunk Search

Can't get rex to work

ride76
Explorer

I have been searching Splunk answers and read the documentation and not sure it is something simple I am missing. but rex using field=_raw does not seem to filter any results. For instance, whether I run a search with 'asterisk' or with * | rex field=_raw "src inside (?<src>\d+.\d+.\d+.\d+\/\d+)"' the results are always the same. And this happens with every rex command I run. Can someone please point me in the right direction? Another example I can not get to work is below:

'* | rex field=_raw "src inside (?<src>\d+.\d+.\d+.\d+\/\d+)"'

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Based on this clarification in which you used "FILTER":

I am trying to filter on IP's in the format x.x.x.x/port#. Another query I am trying is rex field=_raw "http://(?[^:]*):*".

This should work:

... | regex _raw="src\s*inside\s*\d+\.\d+\.\d+\.\d+/\d+"

This will throw away any events that do not match this RegEx (filtering in). If you need to filter out, use != instead of =.

View solution in original post

0 Karma

ride76
Explorer

There are backslashes after each 'd' and '.' - - the forum was removing when I tried to post but I just figured out how to post code. Also, I have tried running with rex and regex. Both samples are below.

rex field=_raw "(?<src>)\d+\.\d+\.\d+\.\d+(?<src_port>)\/\d+"

rex field=_raw "http://(?<Dest>[^:]*):*"
0 Karma

dflodstrom
Builder

It might be time to rephrase your question. I don't think your desired outcome is clear. Provide some sample events for better help.

0 Karma

woodcock
Esteemed Legend

Based on this clarification in which you used "FILTER":

I am trying to filter on IP's in the format x.x.x.x/port#. Another query I am trying is rex field=_raw "http://(?[^:]*):*".

This should work:

... | regex _raw="src\s*inside\s*\d+\.\d+\.\d+\.\d+/\d+"

This will throw away any events that do not match this RegEx (filtering in). If you need to filter out, use != instead of =.

0 Karma

woodcock
Esteemed Legend

You are using strange terminology. The rex command does NOT filter but the regex command does. The rex command creates new fields using existing fields. Are you trying to "filter" or create fields? Assuming the latter, this might work for you:

... | rex "src\s*inside\s*(?<src>\d+\.\d+\.\d+\.\d+)"
0 Karma

ride76
Explorer

The link where I initially started reading is http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Rex. Another link is http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Regex.

I am trying to filter on IP's in the format x.x.x.x/port#. Another query I am trying is rex field=_raw "http://(?[^:]😞".

And of course the last query is not showing up correctly b/c the forum will not let me post tags. After the question mark there is supposed to be a field name. Rex-_raw is not working either.

dflodstrom
Builder

Highlight your 'code' and click the little binary looking 'code sample' button above the text input box and we'll see everything you type.

Woodcock makes a good point, you're saying "filter". REX doesn't filter, it captures the characters that match your pattern and assigns them to the field you specified/created.

0 Karma

dflodstrom
Builder
0 Karma

dflodstrom
Builder

If your syntax is exactly as you've shown it you might not be matching 'digits' because you're using 'd' and not '\d'. Don't forget to escape special characters like '/' ... you might need '\/' there.

If the information you're trying to capture is something like 123.45.67.8/24 try: | rex "src\sinside\s(?\d+\.\d+\.\d+\.\d+\/\d+)"

-edited because splunk answers needs special characters escaped too.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...