Splunk Search

Can't get rex to work

Explorer

I have been searching Splunk answers and read the documentation and not sure it is something simple I am missing. but rex using field=_raw does not seem to filter any results. For instance, whether I run a search with 'asterisk' or with * | rex field=_raw "src inside (?<src>\d+.\d+.\d+.\d+\/\d+)"' the results are always the same. And this happens with every rex command I run. Can someone please point me in the right direction? Another example I can not get to work is below:

'* | rex field=_raw "src inside (?<src>\d+.\d+.\d+.\d+\/\d+)"'

Tags (1)
0 Karma
1 Solution

Esteemed Legend

Based on this clarification in which you used "FILTER":

I am trying to filter on IP's in the format x.x.x.x/port#. Another query I am trying is rex field=_raw "http://(?[^:]*):*".

This should work:

... | regex _raw="src\s*inside\s*\d+\.\d+\.\d+\.\d+/\d+"

This will throw away any events that do not match this RegEx (filtering in). If you need to filter out, use != instead of =.

View solution in original post

0 Karma

Explorer

There are backslashes after each 'd' and '.' - - the forum was removing when I tried to post but I just figured out how to post code. Also, I have tried running with rex and regex. Both samples are below.

rex field=_raw "(?<src>)\d+\.\d+\.\d+\.\d+(?<src_port>)\/\d+"

rex field=_raw "http://(?<Dest>[^:]*):*"
0 Karma

Builder

It might be time to rephrase your question. I don't think your desired outcome is clear. Provide some sample events for better help.

0 Karma

Esteemed Legend

Based on this clarification in which you used "FILTER":

I am trying to filter on IP's in the format x.x.x.x/port#. Another query I am trying is rex field=_raw "http://(?[^:]*):*".

This should work:

... | regex _raw="src\s*inside\s*\d+\.\d+\.\d+\.\d+/\d+"

This will throw away any events that do not match this RegEx (filtering in). If you need to filter out, use != instead of =.

View solution in original post

0 Karma

Esteemed Legend

You are using strange terminology. The rex command does NOT filter but the regex command does. The rex command creates new fields using existing fields. Are you trying to "filter" or create fields? Assuming the latter, this might work for you:

... | rex "src\s*inside\s*(?<src>\d+\.\d+\.\d+\.\d+)"
0 Karma

Explorer

The link where I initially started reading is http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Rex. Another link is http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Regex.

I am trying to filter on IP's in the format x.x.x.x/port#. Another query I am trying is rex field=_raw "http://(?[^:]😞".

And of course the last query is not showing up correctly b/c the forum will not let me post tags. After the question mark there is supposed to be a field name. Rex-_raw is not working either.

Builder

Highlight your 'code' and click the little binary looking 'code sample' button above the text input box and we'll see everything you type.

Woodcock makes a good point, you're saying "filter". REX doesn't filter, it captures the characters that match your pattern and assigns them to the field you specified/created.

0 Karma

Builder
0 Karma

Builder

If your syntax is exactly as you've shown it you might not be matching 'digits' because you're using 'd' and not '\d'. Don't forget to escape special characters like '/' ... you might need '\/' there.

If the information you're trying to capture is something like 123.45.67.8/24 try: | rex "src\sinside\s(?\d+\.\d+\.\d+\.\d+\/\d+)"

-edited because splunk answers needs special characters escaped too.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!