- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help with regex with two different type events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello I have the below sample events
Thu Sep 5 10:00:02 EDT 2019 XDB EXPIRED & LOCKED 28-SEP-11 CTXAPP
Thu Sep 5 10:00:02 EDT 2019 VWEinsnte3345 LOCKED GPW_READ
Thu Sep 5 10:00:02 EDT 2019 SK_RYT LOCKED(TIMED) CDS_SELECT_ALL
I want to extract XDB , VWEinsnte3345 ,SK_RYT AS USERNAME and EXPIRED & LOCKED , LOCKED , LOCKED(TIMED) as status , 28-SEP-11 as expiry date(this field is not there for all events) and CTXAPP , GPW_READ , CDS_SELECT_ALL as ROLE
Below is the regex I am using but this is only extracting for event 2
EDT\s\d*\s(?<USERNAME>[^\s]+)\s*(?<STATUS>[^ ]+)\s*(?<ROLE>[^ ]+)
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi vrmandadi,
you could try to use two regexes to extract fields:
| rex "EDT\s\d*\s(?<USERNAME>[^\s]+)\s*(?<STATUS>.*)\s+(?<ROLE>[^ ]+)$"
| rex field=STATUS "(?<STATUS1>.*)\s+(?<expity_date>\d+-\w+-\d+)"
| eval STATUS=coalesce(STATUS1, STATUS)
The second regex runs with events with expiry date and the second one with events without it.
You can test the first regex in https://regex101.com/r/oNrmd0/1 and the second one in https://regex101.com/r/oNrmd0/2
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi vrmandadi,
you could try to use two regexes to extract fields:
| rex "EDT\s\d*\s(?<USERNAME>[^\s]+)\s*(?<STATUS>.*)\s+(?<ROLE>[^ ]+)$"
| rex field=STATUS "(?<STATUS1>.*)\s+(?<expity_date>\d+-\w+-\d+)"
| eval STATUS=coalesce(STATUS1, STATUS)
The second regex runs with events with expiry date and the second one with events without it.
You can test the first regex in https://regex101.com/r/oNrmd0/1 and the second one in https://regex101.com/r/oNrmd0/2
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
EDT\s\d*\s(?<USERNAME>[^\s]+)\s*(?<STATUS>\w+( & \w+)?)\s*(?<EXPIRY>\d+-[A-Z]+-\d+)?\s*(?<ROLE>[A-Za-z0-9_-]+)
regex101.com is your friend.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @DalJeanis I tried your regex but it did not work .I did try that in regex101 but it is not capturing everything for EXPIRY the values are 28-SEP-1 and ROLE has 1 which should be 28-SEP-11 and CTXAPP respectively .
The same with event 2 the status has value LOCKE and ROLE has D
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is that your entire event? if not then could pls share the entire event?
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
