Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I develop a rex command that extracts non-contiguous characters into one capturing group?

pc1234
Explorer
‎09-27-2016 06:39 AM

I need some assistance coding a rex statement to extract data from events generated by a Powershell script.
Sample data:

Name                                   Port        Description             Protocol
Windows remote mgmt                 RPC 135     @FirewallAPI              TCP
Corenet-12345                         421                                    TCP
Port 75 and 443                                                              UDP

I have two questions:
1) How do I extract non-contiguous characters into one capturing group (one for name and the other for port)
2) How do I handle cases where one or more fields are blank? (in this case, the port in the second row and both the port and description in the third row?

Thanks in advance for your help.

0 Karma
Reply

lakromani
Builder
‎09-28-2016 02:08 AM

If data are at fixed length, you can do some like this:

(?<name>.{39})(?<port>.{15})(?<info>.{26})(?<protocol>.+)

Look at this:
https://regex101.com/r/RwdS6Y/2

0 Karma
Reply

davebrooking
Contributor
‎09-28-2016 12:48 AM

Hi

Does your data really look like that, with the fields always fixed length as you have shown, or can the fields be variable length?

Dave

0 Karma
Reply

bcdady
Explorer
‎09-27-2016 06:50 PM

What options do you have to modify the generating PowerShell cmdlet or function?
We might be able to avoid having to use RegEx / rex altogether. Since the various, .Name, .Port, .Description and .Protocol are all properties of the object(s) returned by the calling PowerShell, you could consider formatting the output as CSV, XML or at least another delimited output that would be easier to parse with rex.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...