Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I combine multiple rex commands into a ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am working with some unstructured data so I'm using the rex command to get some fields out of it. I need three fields in total, and I have managed to extract them with three distinct rex commands. I am now trying to merge them into a single one, but I am having trouble doing so. Following is a run anywhere search where I've put the unstructured data into a string that is then used by the rex commands:
| makeresults
| eval string="================================================================
= JOB : MAXFED33S-LHMX#MDK1997DAILYFTPCONN[(2130 10/31/18),(0AAAAAAAAAAAOBWS)]
= USER : DOMAIN\khectic
= SCRIPT : c:\scripts\mdk_copy.bat
= Job Number: 2484514
===============================================================
********************************************************************************************
** copying from
** \temp\mdk_temp.csv
** to
** \target\
** success **
********************************************************************************************
===============================================================
= Exit Status :OK
==============================================================="
| rex field=string ".+#(?<job>[\w]+)\[."
| rex field=string ".+SCRIPT[\s\t]*:[\s\t]*(?<script>[\w\d.\\\:\s-]+)"
| rex field=string ".+Exit\sStatus[\s\t]*:[\s\t]*(?<exit_status>[\w]+)"
Obviously this is not the most efficient way of doing it so I'm trying to use a single rex command, and this is where I'm having trouble. I'm trying to join them using the .+ notation which I think means "any character one or more times until the next field extraction", but no dice. This is what that looks like (doesn't work):
| rex field=string ".+#(?<job>[\w]+)\[.+SCRIPT[\s\t]*:[\s\t]*(?<script>[\w\d.\\\:\s-]+).+Exit\sStatus[\s\t]*:[\s\t]*(?<exit_status>[\w]+)"
Would appreciate a push in the right direction.
Thank you in advance and best regards,
Andrew
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
| rex field=string "JOB[^#]+#(?<job>[^\[]+)([^\r\n]+[\r\n]){2}\s*\=\s*SCRIPT[^:]+:\s*(?<script>[^\r\n]+)([^\r\n]+[\r\n])+\s*\=\s*Exit\s*Status[^:]+:\s*(?<exit_status>[\w]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
| rex field=string "JOB[^#]+#(?<job>[^\[]+)([^\r\n]+[\r\n]){2}\s*\=\s*SCRIPT[^:]+:\s*(?<script>[^\r\n]+)([^\r\n]+[\r\n])+\s*\=\s*Exit\s*Status[^:]+:\s*(?<exit_status>[\w]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is exactly what I needed to do, thank you|
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this regex a try,
| makeresults
| eval string="================================================================
= JOB : MAXFED33S-LHMX#MDK1997DAILYFTPCONN[(2130 10/31/18),(0AAAAAAAAAAAOBWS)]
= USER : DOMAIN\khectic
= SCRIPT : c:\scripts\mdk_copy.bat
= Job Number: 2484514
===============================================================
********************************************************************************************
** copying from
** \temp\mdk_temp.csv
** to
** \target\
** success **
********************************************************************************************
===============================================================
= Exit Status :OK
==============================================================="
| rex field=string "JOB.+#(?<job>\w+)\["
| rex field=string "SCRIPT\s+:\s(?<script>[^\s]+)"
| rex field=string "Exit\sStatus\s+:(?<exit_status>\w+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sudosplunk Yes, this works as well, thank you, but is there a way to combine all three into a single rex?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, if you're certain that the data is in this pattern/format all the time, then use the 1st regex which takes 137 steps to find the match.
If you're not sure about that then use 2nd regex which takes 688 steps to find the match.
Regex1:
https://regex101.com/r/cEF2wR/1
| rex field=string "JOB[\s\w-:]+#(?<job>\w+)\[.+[\s\w=]+\:\s?(?<user>[^\s]+)[\s\w=]+\:\s?(?<script>[^\s]+)[\s\w=]+\:\s?(?<job_number>[^\s]+)[\s\S]+Exit\sStatus\s+\:(?<exit_status>\w+)"
Regex2:
https://regex101.com/r/AX9pfC/1
| rex field=string "JOB[\s\w-:]+#(?<job>\w+)\[[\s\w\W]+SCRIPT\s+\:\s?(?<script>[^\s]+)[\s\S]*Exit\sStatus\s+:(?<exit_status>\w+)"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
