Splunk Search

Filter the source-file of logs with "rex" command to produce fields

evang_26
Communicator

Hi users,

I automatically import some log-files to Splunk using a script. The naming convention for those files is somehow arbitrary.

My aim is to produce a panel depicting the totals of the logs for each file in a stacked manner. Till here we are good.

The problem is that the log-file names are pretty awkward and long given the fact that they also reveal the complete path as to where they came from. I want to present to the viewer only the most intuitive part of the log-file name.

Here is what I managed to do but it doesn't work as expected.

sourcetype=nessus source=*SNMP* earliest=-1mon@mon latest=now signature_id=41028| rex "source.*SNMP public community \((?<area>.*)\)" |chart count(dest_dns) by area

I assume that the "source" of the file is not appeared within the log itself, maybe. And that's why I can't filter it with rex

Are you aware of any other technique that might help me to display only a particular part of the source-name?

Regards,
Evang

Tags (3)
0 Karma
1 Solution

theouhuios
Motivator

Try this for rex. Field can be used to pick any available fields which splunk provides on the left hand side and then the rex expression which you write will be applied on that field.

|rex field=source "*SNMP public community \((?<area>.*)\)""

View solution in original post

Ayn
Legend

You can have rex match against any field you like, including the source field. Just use the field= parameter to rex.

http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Rex

evang_26
Communicator

Okay, sorry, false alarm!

It was the multi-series mode which I've never played with, and for first time was by default switched on.

Many thanks to both!

Regards,
Evang

0 Karma

evang_26
Communicator

That is excellent! It worked like a charm! Thanks to both of you!

However, one thing occurred. The output has two separated charts rather than one, and thus I can't stack the results.

Any idea?

Regards,
Evang

0 Karma

theouhuios
Motivator

Try this for rex. Field can be used to pick any available fields which splunk provides on the left hand side and then the rex expression which you write will be applied on that field.

|rex field=source "*SNMP public community \((?<area>.*)\)""
Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...