Splunk Search

How do I develop a rex command that extracts non-contiguous characters into one capturing group?


I need some assistance coding a rex statement to extract data from events generated by a Powershell script.
Sample data:

Name                                   Port        Description             Protocol
Windows remote mgmt                 RPC 135     @FirewallAPI              TCP
Corenet-12345                         421                                    TCP
Port 75 and 443                                                              UDP

I have two questions:
1) How do I extract non-contiguous characters into one capturing group (one for name and the other for port)
2) How do I handle cases where one or more fields are blank? (in this case, the port in the second row and both the port and description in the third row?

Thanks in advance for your help.

0 Karma


If data are at fixed length, you can do some like this:


Look at this:

0 Karma



Does your data really look like that, with the fields always fixed length as you have shown, or can the fields be variable length?


0 Karma


What options do you have to modify the generating PowerShell cmdlet or function?
We might be able to avoid having to use RegEx / rex altogether. Since the various, .Name, .Port, .Description and .Protocol are all properties of the object(s) returned by the calling PowerShell, you could consider formatting the output as CSV, XML or at least another delimited output that would be easier to parse with rex.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...