Solved: Extract information via regex - Page 2

rafamss · ‎12-02-2013

Hi guys,

I need some help to split the field below:

xyu_0987|123456:123456|123456:123456,

before the first pipeline(xyz_9807) displays the information about one rule;
after the first pipeline(|93830:09383) displays the information about alerts rules;
after the second pipeline(|093732:827332) displays information about denied rules.

The second point is that each rule is segmented by " : ", how i split the fields in order to keep this format: Remembering that segmented rule can be repeat more times, and each rule must be in fields separated.

Rule       Alerts Rule              Denied Rule 
           Rule 1 : Rule 2          Rule 1 : Rule 2
xyu_0987   123456 : 123456          123456 : 123456

Can you help me ?

Regards,

Rafael Martins

sbsbb · ‎12-02-2013

For making my tries with splunk regex, I use the program Kodos, that use the same synthax...

I would suggest you something like (I'm not good at regex, but mostly achieve what I want 😉

| rex max_match=0 "(?P<Rule>.*)\|(?P<Alert1>.*):(?P<Alert2>.*)\|(?P<Denied1>.*):(?P<Denied2>.*)"

If the number of Rules between the pipes is unknown, than I would try first to extract AlertString, DeniedString, and then extract the Rules as Multivalue Field you could mvexpand :

| rex max_match=0 "(?P<Rule>.*)\|(?P<AlertString>.*)\|(?P<DeniedString>.*)
| rex max_match=0 field=AlertString "(?P<AlertRules>[regex to split Rules])"
| rex max_match=0 field=AlertString "(?P<DeniedRules>[regex to split Rules])"
| mvexpand AlertRules | fields - AlertString
| mvexpand DeniedRules | fields - DeniedString
| table *

View solution in original post

Extract information via regex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!