Splunk Search

Extracting some Values that Match RegEx on the Fly

Makinde
New Member

I have data that includes computer names in my environment, the computer names follow a certain pattern which is usually a combination of alphabets and digits but exactly 7 characters.

I have the regex extrpression to match the pattern, how do I apply it in my search to identify only computer names that match that pattern.

For example, here is my search;

*index= sourcetype=windows computer_name=*(I want to include the regex pattern so it returns only values that meet my criteria.)

The regex pattern that matches the pattern is ^\w{7}$

Tags (2)
0 Karma
1 Solution

javiergn
Super Champion

You can't prefilter using regex, but you can postfilter instead using the rex command:

index=YOURINDEX sourcetype=windows 
| regex computer_name="^\w{7}$"

Alternatively if you could get a list of all your computer names from somwhere else you could use a subsearch as:

index=YOURINDEX sourcetype=windows [| searchyourcomputernames | dedup computer_name | table computer_name]

Careful with subsearches though. The above would be the equivalent of:

index=YOURINDEX sourcetype=windows (computer_name=name1 OR computer_name=name2 OR ... OR computer_name=nameN) 

View solution in original post

0 Karma

jeffland
SplunkTrust
SplunkTrust

Just to add to your options, you may be interested in this search:

index=foo | where match(computer_name, "^\w{7}$") OR match(computer_name, "kiosk")

It's basically the same as using rex to create a field and filtering, it just does it in one step. Of course you can also do it like this:

index=foo | where match(computer_name, "^\w{7}$|kiosk")

Furthermore, if you're more acquainted with SQL, you can use like instead of match:

index=foo | where like(computer_name, "%kiosk%")

See here for all the fun things to do with eval!

javiergn
Super Champion

You can't prefilter using regex, but you can postfilter instead using the rex command:

index=YOURINDEX sourcetype=windows 
| regex computer_name="^\w{7}$"

Alternatively if you could get a list of all your computer names from somwhere else you could use a subsearch as:

index=YOURINDEX sourcetype=windows [| searchyourcomputernames | dedup computer_name | table computer_name]

Careful with subsearches though. The above would be the equivalent of:

index=YOURINDEX sourcetype=windows (computer_name=name1 OR computer_name=name2 OR ... OR computer_name=nameN) 
0 Karma

Makinde
New Member

Thanks Javiergn and Somesoni2.

It works now, I was using regex101 to actually test the string so I confirmed it works.

Somesoni2, your regex worked as well except that it didn't pick up a Computer_name that contained Kiosk and was more than 7 characters. Figured it out making a few changes to the Regex.

I appreciate you guys help. Thanks.

0 Karma

Makinde
New Member

Hi Javiergn,

What if I wanted to include and OR say;

index=YOURINDEX sourcetype=windows
| regex computer_name="^\w{7}$" OR computer_name=*kiosk*

How would that work?

0 Karma

javiergn
Super Champion

Nope.
But you can add it to your regex:

index=YOURINDEX sourcetype=windows 
| regex computer_name="(?:(^\w{7}$)|(kiosk))"
0 Karma

Makinde
New Member

Hi Javiergn,

I am tried the regex cmbination you suggested however computer names such as TCKIOSK788 or OGN_CMAKIOSK122 are left out.

I want to include any computer name that has the word "Kiosk" in it.

0 Karma

javiergn
Super Champion

That's probably because my regex is not case sensitive. Try this instead:

index=YOURINDEX sourcetype=windows 
 | regex computer_name="(?i)(?:(^\w{7}$)|(kiosk))"
0 Karma

Makinde
New Member

Hi Javiergn,

It doesn't still match the criteria. Not sure you understand what I want.

The KIOSK in the reg-ex seems to only match the word KIOSK but that's not what I want, I want it to match any computer_name that has the work KIOSK in it.

For example,

The current regex will identify a computer_name that is strictly "kiosk" or any 7 character computer name. But I have computer names like TCKIOSK788 or OGN_CMAKIOSK122, the common word in them is KIOSK,

How can I get the regex to pick out the whole computer_name not just the word KIOSK?

Thanks,
Makinde

0 Karma

javiergn
Super Champion

Apologies as I can't test this right now from my phone. I'm pretty sure the regex was matching the full computer name but if not try this instead:

index=YOURINDEX sourcetype=windows 
  | regex computer_name="(?i)(?:(^\w{7}$)|(\w+kiosk\w+))"
0 Karma

javiergn
Super Champion

Please keep in mind you can test your regex from www.regex101.com. Simply remove the double quotes around it from the regex above and paste it in the regex box. Then try a few examples to confirm it's working as expected.

0 Karma

somesoni2
Revered Legend

How about this

index=YOURINDEX sourcetype=windows 
  | regex computer_name="(?i)(?:(^\w{7}$)|(.*kiosk.*))"
0 Karma

somesoni2
Revered Legend

Try something like this

index= sourcetype=windows | regex computer_name="^w{7}$"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...