Splunk Search

Filter the source-file of logs with "rex" command to produce fields

evang_26
Communicator

Hi users,

I automatically import some log-files to Splunk using a script. The naming convention for those files is somehow arbitrary.

My aim is to produce a panel depicting the totals of the logs for each file in a stacked manner. Till here we are good.

The problem is that the log-file names are pretty awkward and long given the fact that they also reveal the complete path as to where they came from. I want to present to the viewer only the most intuitive part of the log-file name.

Here is what I managed to do but it doesn't work as expected.

sourcetype=nessus source=*SNMP* earliest=-1mon@mon latest=now signature_id=41028| rex "source.*SNMP public community \((?<area>.*)\)" |chart count(dest_dns) by area

I assume that the "source" of the file is not appeared within the log itself, maybe. And that's why I can't filter it with rex

Are you aware of any other technique that might help me to display only a particular part of the source-name?

Regards,
Evang

Tags (3)
0 Karma
1 Solution

theouhuios
Motivator

Try this for rex. Field can be used to pick any available fields which splunk provides on the left hand side and then the rex expression which you write will be applied on that field.

|rex field=source "*SNMP public community \((?<area>.*)\)""

View solution in original post

Ayn
Legend

You can have rex match against any field you like, including the source field. Just use the field= parameter to rex.

http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Rex

evang_26
Communicator

Okay, sorry, false alarm!

It was the multi-series mode which I've never played with, and for first time was by default switched on.

Many thanks to both!

Regards,
Evang

0 Karma

evang_26
Communicator

That is excellent! It worked like a charm! Thanks to both of you!

However, one thing occurred. The output has two separated charts rather than one, and thus I can't stack the results.

Any idea?

Regards,
Evang

0 Karma

theouhuios
Motivator

Try this for rex. Field can be used to pick any available fields which splunk provides on the left hand side and then the rex expression which you write will be applied on that field.

|rex field=source "*SNMP public community \((?<area>.*)\)""
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...