Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can you help me with a regex expression(multip...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me with a regex expression(multiple in one query)?
JoshuaJohn
Contributor
10-02-2018
01:57 PM
Trying to capture multiple groups, basically after the colon
MacAddress : 7A:AA:82:31:24:B1
Manufacturer : VENDOR
Username : SC32131BN_user
IPNET : 11.412.111.
PasswordExpires : 11/24/2018 3:44:48 PM
Version : CCCS - 1423209
PhysicalDriveSpace : 19.620432424279
TotalRAM : 3.84324242539
DHCPLeaseExpires : 20432424324215.000000-300
DHCPServer : 11.12.234.61
SID : S-1-5-21-432233414-414324275-1810497902-1001
The name would be the field on the left.
I tried something like this: | rex "MacAddress\s+:\s(?P[^\n]) | Manufacturer\s+:\s)(?P[^\n])" but it doesn't appear to be giving me anything.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
KailA
Contributor
10-03-2018
02:22 PM
Hi,
If this in only one event, like a multivalue field, I may have a solution for you :
Replace every
:by=
| rex field=yourfield mode=sed "s/:/=/"Rename your field as
_raw
|rename yourfield as _rawUse
KVfunction
| KV
Edit :
Working example :
| makeresults
| eval data="MacAddress : 7A:AA:82:31:24:B1,Manufacturer : VENDOR,Username : SC32131BN_user,IPNET : 11.412.111.,PasswordExpires : 11/24/2018 3:44:48 PM,Version : CCCS - 1423209,PhysicalDriveSpace : 19.620432424279,TotalRAM : 3.84324242539,DHCPLeaseExpires : 20432424324215.000000-300,DHCPServer : 11.12.234.61,SID : S-1-5-21-432233414-414324275-1810497902-1001"
| eval data = split(data,",")
| rex field=data mode=sed "s/:/=/"
| rename data as _raw
| KV
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
10-02-2018
09:24 PM
Try this :
props.conf -
[<yoursourcetypename>]
REPORT-xmlext = xml-extr
Transforms.conf -
[xml-extr]
REGEX =(\w+)\s*:\s([^\r\n]+)
FORMAT = $1::$2
MV_ADD = true
REPEAT_MATCH = true
It will extract fields at index time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JoshuaJohn
Contributor
10-03-2018
11:58 AM
Unfortunately do not have access to edit props.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
10-03-2018
08:55 PM
then try this in query:
...| extract kvdelim=":" pairdelim="\n"
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
