Splunk Search
Highlighted

How do I formulate a regex so that I can search different types of events?

Communicator

event 1:

31.138.204.1 | ssh | o*1N0HIQQx434x12481145x1 | ZI53713 | 2018-05-28 07:14:47,848 | SSH - piv-receive-pack '/hvq849/spcp-mdo-scoring.git' | - | 0 | 15122 | 738 | **push**, ssh:user:id:121237 | 1595| 10togc8 |

event 2:

31.138.204.1 | ssh | i*1N0HIQQx434x12481145x1 | ZI53713 | 2018-05-28 07:14:47,848 | SSH - piv-receive-pack '/hvq849/spcp-mdo-scoring.git' | - | - | - | - | push, ssh:user:id:121237 | - | -|

I have two type of events and in some events the item after the second pipebar starts with 'o' and in others it starts with 'i'.
How do I formulate a regex so that I can search either type of events?

0 Karma
Highlighted

Re: How do I formulate a regex so that I can search different types of events?

SplunkTrust
SplunkTrust

Try this.. Replace FIELD_NAME with whatever you want the field to be called

ssh\s\|\s(?<FIELD_NAME>\S+)

https://regex101.com/r/2aTDqb/1

0 Karma
Highlighted

Re: How do I formulate a regex so that I can search different types of events?

Communicator

'ssh' isn't always going to be the field after first pipe.
What I essentially want is, "Check for the field after second pipebar and if it starts with 'i' then exclude that event from the base search itself".

All the events where the item after second pipebar begins with i (example i*1N0HIQQx434x12481145x1) in unnecessary for me.

0 Karma
Highlighted

Re: How do I formulate a regex so that I can search different types of events?

Legend

@zacksoft Your field structure seems same for both events which can be easily extracted as INDEXED_EXTRACTIONS = psv. You can have an additional field created using regex field extraction and/or eval transform to call o as output and i as input.

If your field names are actually completely different for two events and you want separate field extractions for both then one of the options I would try is to use regex based on this i or o match using props.conf and transforms.conf while indexing (on heavy forwarder or indexer) to route the events to two separate sourcetypes. Then for each sourcetype define their own field extraction. Refer to Splunk documentation Routing and Filtering Data

Please let us know if you need further help with any of the above approaches.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How do I formulate a regex so that I can search different types of events?

Communicator

Not at forwarder level. In the query itself we are looking to parse the events and extract the value of fields (such as ZI53713, 1595 ,10togc8), if the field after second pipeline starts with 'o'.

The events where the item after the second pipebar starts with 'i' should be excluded.

Hope I am not confusing.
A sample SPL will help.

0 Karma
Highlighted

Re: How do I formulate a regex so that I can search different types of events?

Communicator

@niketnilay

All of the events in our log comes in pair (just like the example I have provided). The only difference between the two paired event is i* or o* indicating input and output transaction.

The event with o* contains a value 1595. That value indicates the response time of the entire transaction.
And 'push' indicates the transaction type.

The ultimate goal is to identify the response time per each transaction from the paired event.

0 Karma
Highlighted

Re: How do I formulate a regex so that I can search different types of events?

Communicator

@niketnilay What I essentially want is, "Check for the field after second pipebar and if it starts with 'i' then exclude that event from the base search itself".

All the events where the item after second pipebar begins with i (example i*1N0HIQQx434x12481145x1) in unnecessary for me

0 Karma