How do I formulate a regex so that I can search di...

zacksoft · ‎05-28-2018

event 1:

31.138.204.1 | ssh | o*1N0HIQQx434x12481145x1 | ZI53713 | 2018-05-28 07:14:47,848 | SSH - piv-receive-pack '/hvq849/spcp-mdo-scoring.git' | - | 0 | 15122 | 738 | **push**, ssh:user:id:121237 | 1595| 10togc8 |

event 2:

31.138.204.1 | ssh | i*1N0HIQQx434x12481145x1 | ZI53713 | 2018-05-28 07:14:47,848 | SSH - piv-receive-pack '/hvq849/spcp-mdo-scoring.git' | - | - | - | - | push, ssh:user:id:121237 | - | -|

I have two type of events and in some events the item after the second pipebar starts with 'o*' and in others it starts with 'i*'.
How do I formulate a regex so that I can search either type of events?

niketn · ‎05-28-2018

@zacksoft Your field structure seems same for both events which can be easily extracted as INDEXED_EXTRACTIONS = psv. You can have an additional field created using regex field extraction and/or eval transform to call o as output and i as input.

If your field names are actually completely different for two events and you want separate field extractions for both then one of the options I would try is to use regex based on this i or o match using props.conf and transforms.conf while indexing (on heavy forwarder or indexer) to route the events to two separate sourcetypes. Then for each sourcetype define their own field extraction. Refer to Splunk documentation Routing and Filtering Data

Please let us know if you need further help with any of the above approaches.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

zacksoft · ‎05-29-2018

@niketnilay What I essentially want is, "Check for the field after second pipebar and if it starts with 'i' then exclude that event from the base search itself".

All the events where the item after second pipebar begins with i (example i*1N0HIQQx434x12481145x1) in unnecessary for me

zacksoft · ‎05-29-2018

Not at forwarder level. In the query itself we are looking to parse the events and extract the value of fields (such as ZI53713, 1595 ,10togc8), if the field after second pipeline starts with 'o'.

The events where the item after the second pipebar starts with 'i' should be excluded.

Hope I am not confusing.
A sample SPL will help.

zacksoft · ‎05-29-2018

@niketnilay

All of the events in our log comes in pair (just like the example I have provided). The only difference between the two paired event is i* or o* indicating input and output transaction.

The event with o* contains a value 1595. That value indicates the response time of the entire transaction.
And 'push' indicates the transaction type.

The ultimate goal is to identify the response time per each transaction from the paired event.

skoelpin · ‎05-28-2018

Try this.. Replace FIELD_NAME with whatever you want the field to be called

ssh\s\|\s(?<FIELD_NAME>\S+)

https://regex101.com/r/2aTDqb/1

zacksoft · ‎05-29-2018

'ssh' isn't always going to be the field after first pipe.
What I essentially want is, "Check for the field after second pipebar and if it starts with 'i' then exclude that event from the base search itself".

All the events where the item after second pipebar begins with i (example i*1N0HIQQx434x12481145x1) in unnecessary for me.

How do I formulate a regex so that I can search different types of events?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life