Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with improving Regex

youngsuh
Contributor
‎02-02-2021 05:39 PM

Here is the regex to extract message_type based on CIM.  Could anyone make this faster than 1387 steps?

https://regex101.com/r/dHbs4i/1

 

(?P<message_type>[^.]query|response)\:

 

 

Here is the sample syslog for DNS.

 

Feb  3 00:42:32 FSTAd2346.g.ae3.dns.mil tmm[19902] 2021-02-03 00:42:32 FSTAd2346.g.ae3.dns.mil qid 26818 from 10.130.27.34#13258: view none: query: a-grv-gocdzace.g.ae3.dns.mil IN A + (10.130.44.87%0)
Feb  3 00:42:32 FSTAd2346.g.ae3.dns.mil tmm[19902] 2021-02-03 00:42:32 FSTAd2346.g.ae3.dns.mil qid 57035 to 10.130.27.34#13258: [NOERROR qr,aa,rd] response: a-grv-gocdzace.g.ae3.dns.mil

 

   

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-02-2021 08:56 PM

This executes with 50 steps with the given sample data.

 

(?<message_type>query|response)\:

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎02-02-2021 10:29 PM

Unless you really need to have the [\.] in the regex, i.e. you want to match any character in front of the word query, other than the '.' character and to include this in your message type then you should use one of the suggestions.

NB, you don't need the \ in front of :

 

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-02-2021 08:56 PM

This executes with 50 steps with the given sample data.

 

(?<message_type>query|response)\:

 

 

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎02-02-2021 08:23 PM

Hi @youngsuh,

Below is working in 163 steps based on your sample data. 

\s(?P<message_type>query|response)\:

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...