Solved: How to exclude a match in regex - Regex

Kanesol · ‎04-02-2013

I have this search:

index="blah" source="blah" cs_Referer_="-" NOT(some keyword exclusion here) | regex cs_host="^(\b\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\b)+"

and I wish to add this to it as a NOT :

regex cs_uri_stem="\?d=[\w.]+@\w+.\w+"

Not sure how to go about this. Any Input is appreciated.

hexx · ‎04-02-2013

I think you've got the most reasonable solution already with this search:

index="blah" source="blah" cs_Referer_="-" NOT(some keyword exclusion here) | regex cs_host="^(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)+" | regex cs_uri_stem="\?d=[\w.]+@\w+.\w+"

Attempting to contract both regular expressions into one probably won't yield any performance benefits.

View solution in original post

hexx · ‎04-02-2013

I think you've got the most reasonable solution already with this search:

index="blah" source="blah" cs_Referer_="-" NOT(some keyword exclusion here) | regex cs_host="^(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)+" | regex cs_uri_stem="\?d=[\w.]+@\w+.\w+"

Attempting to contract both regular expressions into one probably won't yield any performance benefits.

Kanesol · ‎04-02-2013

Thanks for confirming that for me. I was hoping for something a little nicer.

Kanesol · ‎04-02-2013

To update, I've resorted to just adding more and more pipes for each regex which I believe is not optimal but serviceable. I'm hoping someone can come up with a more elegant way 🙂

index="blah" source="blah" cs_Referer_="-" NOT(some keyword exclusion here) | regex cs_host="^(bd{1,3}.d{1,3}.d{1,3}.d{1,3}b)+" | regex cs_uri_stem!="?d=[w.]+@w+.w+"

How to exclude a match in regex - Regex

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies