Re: Extract all regex matches as a list in each lo...

nagulan_s · ‎06-06-2022

Input:

Message ID

... tt_1 ... tt_2 ... tt_9 ... tt_3 1

... tt_6 ... tt_4 ... tt_5 2

Ouput:

Message ID TT

... tt_1 ... tt_2 ... tt_9 ... tt_3 1 tt_1 tt_2 tt_9 tt_3

... tt_6 ... tt_4 ... tt_5 2. tt_6 tt_4 tt_5

In the above "Message" field the "..." indicates some random text in between. So basically I want to extract all words starting with "tt_" and display it as in the table shown above. Can anyone help be with the splunk query of it.

gcusello · ‎06-06-2022

Hi @nagulan_s,

if you could share some sample of your logs I could be more sure about the regex.

Anyway, supposing that you have to extract values starting with "tt-" and with a number, you could use something like this:

your_search
| rex max_match=0 field=Message "(?<TT>tt_\d+)"
| table Message ID TT

Ciao.

Giuseppe

nagulan_s · ‎06-06-2022

I tried something like this but the output is not as expected.

Expected output:

Message ID TT

... tt_1 ... tt_2 ... tt_9 ... tt_3 1 tt_1 tt_2 tt_9 tt_3

Output from your suggestion:

Message ID TT

... tt_1 ... tt_2 ... tt_9 ... tt_3 1 tt_1

... tt_1 ... tt_2 ... tt_9 ... tt_3 1 tt_2

... tt_1 ... tt_2 ... tt_9 ... tt_3 1 tt_9

gcusello · ‎06-06-2022

Hi @nagulan_s ,

you have to add max_match to your rex command

your_search
| rex max_match=0 field=Message "(?<TT>tt_\d+)"
| table Message ID TT

Ciao.

Giuseppe

nagulan_s · ‎06-06-2022

This is what I am using. and the result is like the table in the above reply.

 | rex max_match=0 field=ErrorMessage "Time spent on step (?<stepID>.*) : " | table Messages, UMID, stepID

gcusello · ‎06-07-2022

Hi @nagulan_s,

could you share a sample of your logs?

So I could be more sure about the regex.

Ciao.

Giuseppe

nagulan_s · ‎06-07-2022

Why do you think there maybe a problem in the regex? I am able to extract all the regex matches in each log, but the problem is each match is displayed as a separate row, I want all regex match in a single log in a row itself.

gcusello · ‎06-07-2022

Hi @nagulan_s,

the solution should be

your_search
| rex max_match=0 field=Message "(?<TT>tt_\d+)"
| table Message ID TT
| nomv TT

at the end of your search, because the nomv command put all the multivalues in one row, but I don't know why it doesn't run in this search!

I'd like to make a test on the original source to see if, maybe, there's some problem in the regex

Ciao.

Giuseppe

nagulan_s · ‎06-07-2022

@gcusello

You can maybe take the example from here https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-from-a-single-field-if-....

My doubt is exactly the same but in the answer section they didnt use rex, maybe can you give me a solution with rex for the same question

gcusello · ‎06-07-2022

Hi @nagulan_s,

in that question they used eval becauase values was separated by a char but you displayed a different data, for this reason I asked to share a sample of your logs: I cannot use a regex without it.

using the data you shared I have the result you want

If it's a reserved data, you can mask it but don't change the log structure and please a full event.

Ciao.

Giuseppe.

Extract all regex matches as a list in each log

rex

table

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...