Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can you do OR statements in rex?

jambajuice
Communicator
‎01-24-2011 07:00 AM

I'm trying to write a regex expression that extracts a field that ends in either a new line or a ":". I am trying to write the equivalent of (\n|:). When I use that kind of regex in a transforms.conf or props.conf file, it works fine. When I use it in a search command, it always treats the "|" OR symbol as a search pipeline. Is there any way to escape it using rex so that Splunk will treat it like an "OR"?

Thx.

Craig

Tags (1)
0 Karma
Reply

Paolo_Prigione
Builder
‎01-24-2011 01:45 PM

Lookbehinds are not particularly performant. Why not define your regex such as:

"\|(?<service_name>\w+\([^\)]+\))"

thus terminating the extraction at the closing parenthesis?

If else, you need a simple choice between one or more single characters, you can use a char class:

[\n:]

matches either a new line or a column.

Reply

jambajuice
Communicator
‎01-24-2011 10:01 AM

Putting the regex in quotes didn't help. I used the following lookbehind assertion to solve the problem:

(?<=))

0 Karma
Reply

jambajuice
Communicator
‎01-24-2011 08:10 AM

But for some reason when I display the results in a table, the values that do not end with |5 digits| appear as: unknown(5774/udp) 192.168.250. So, it looks like it is grabbing the next line up until the "|".

How do I tell rex to end the match on either a "|" or a new line character?

Thx.

0 Karma
Reply

jambajuice
Communicator
‎01-24-2011 07:48 AM

I have a field called "results" that looks like one of the following:

192.168.250|192.168.250.83|unknown (57753/udp)

OR

192.168.250|192.168.250.83|snmp (161/udp)|14274|

I'm trying to extract the service name and ports, such as "ssh (22/tcp)". Some extractions end with a new line, others with a |.

My rex is: rex field=results max_match=400 "(?i)\d+.\d+.\d+|\d+.\d+.\d+.\d+|(?P[^|]+)

0 Karma
Reply

Ayn
Legend
‎01-24-2011 07:30 AM

The reason Splunk treats the "|" symbol as a search pipeline is most likely because you're not putting your regex inside quotes. You're probably doing something like this:

yoursearch | rex field=_raw (?<yourfield>\n|:)

whereas you should be doing it like this:

yoursearch | rex field=_raw "(?<yourfield>\n|:)"
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...