Splunk Search

Can you help me with the following regex please?

jip31
Motivator

hi

I want to add a rex field in my search

index=windows sourcetype="wineventlog:system" SourceName="Disk" count="$process$"
  | dedup _time
| table _time host Type EventCode

There are 2 conditions for my rex field :

Une erreur a été détectée sur le périphérique \Device\Harddisk1\DR1 lors d'une opération de pagination.

\Harddisk\ has to finish by 0 or 1, but not by another number.

After \Harddisk0\ or \Harddisk1\ it's mandatory to have DR

Could you help me please??

Tags (2)
0 Karma
1 Solution

FrankVl
Ultra Champion

Try this if you want to use the regex command to search for events that match those conditions:
| regex "\\Harddisk[0-1]\\DR"
https://regex101.com/r/F6AExN/1

Try this if you want to use the rex command to extract the harddiskname (only those matching your conditions):
| rex "\\(?<diskName>Harddisk[0-1])\\DR"
https://regex101.com/r/F6AExN/2

View solution in original post

0 Karma

harsmarvania57
Ultra Champion

Hi @jip31,

Please try below search, replace <FieldName> with actual field name.

 index=windows sourcetype="wineventlog:system" SourceName="Disk" count="$process$"
| dedup _time
| rex field=<FieldName> "\x5C\w+\x5C(?<extracted_disk>Harddisk(?:0|1))\x5CDR"
| where isnotnull(extracted_disk)
| table _time host Type EventCode extracted_disk

If you do not want extract Harddisk0 OR Harddisk1 in another field and only want to filter result based on those Harddisk value then use regex command.

 index=windows sourcetype="wineventlog:system" SourceName="Disk" count="$process$"
| dedup _time
| regex <FieldName>="\x5C\w+\x5C(Harddisk(?:0|1))\x5CDR"
| table _time host Type EventCode
0 Karma

FrankVl
Ultra Champion

Try this if you want to use the regex command to search for events that match those conditions:
| regex "\\Harddisk[0-1]\\DR"
https://regex101.com/r/F6AExN/1

Try this if you want to use the rex command to extract the harddiskname (only those matching your conditions):
| rex "\\(?<diskName>Harddisk[0-1])\\DR"
https://regex101.com/r/F6AExN/2

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...