Splunk Search

How can I extract a field using rex that fulfils more than one condition?

bsinsan
Observer

So I want to extract the last word as a field on each search result but want to grab those that only fulfils the following conditions:

1) the last word before space

2) exclude those with a period "." right after the last word

sample events:

the current status is START system goes on …

the current status is STOP please do …..

the current status is PENDING.

And my rex will extract the words from “status is “ and the word right after, but if that word has a period right after, I don’t want to extract.


I only been able to retrieve everything using the following, but not able to exclude those with a period right after.

rex field=_raw "status is\s(?<status>[^\s]+)"

Labels (1)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

As ever, solving rex questions are easier if you provide some sample events, preferably in a code block </> to avoid loss of formatting information.

0 Karma

bsinsan
Observer

Thanks for your comments I have added more details.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You don't need to specify field=_raw as this is the default field. Anyway, you just need to follow your extraction with a space.

| rex "status is\s(?<status>[^\s]+)\s"
0 Karma

bsinsan
Observer

Thanks but unfortuately this does not work for me.  I'm still getting results for these:

 

ACTIVE

PENDING.

INACTIVE

I only want ACTIVE and INACTIVE in this case.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share the events which are not working for you as the suggested solution works with the sample events you have provided so far

| makeresults
| eval _raw="the current status is START system goes on …
the current status is STOP please do …..
the current status is PENDING."
| multikv noheader=t
| table _raw
| rex "status is\s(?<status>[^\s]+)\s"

It is usually best to provide accurate samples, it tends to reduce the amount of wasted time!

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...