- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to generate the regex to extract distinct ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to generate the regex to extract distinct values of this field?
Hi,
I have events with the field WindowsIdentity. Some examples of this field values are:
WindowsIdentity: IIS APPPOOL\login20.monster.com
IIS APPPOOL\ jobs.monster.com
IIS APPPOOL\ hiring.channels.monster.com_jcm
IIS APPPOOL\ wwwcs.channels.monster.com
I tried extracting it with the IFX and I used it like this: rex field=WindowsIdentity "(?P\w+)" but it extracts IIS instead of the text highlighted in bold?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not entirely clear how your messages are actually formatted - is "WindowsIdentity" the name of the field and also part of the field? are all these lines part of the same message and you want to skip the first value - "WindowsIdentity: IIS APPPOOL\login20.monster.com"?
Maybe this will work:
{ ... base search ... }
| rex max_match=100 field=WindowsIdentity "IIS APPPOOL\\\+\s?(?<App>.*?)\.monster\.com"
| eval app_count=mvcount(App) | eval App=mvindex(App,1,app_count)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You can try this regex
| rex field=WindowsIdentity "(?<yourNewField>[\w\.]+)\.monster"
This is an example :
| makeresults
| eval WindowsIdentity = "IIS APPPOOL\ jobs.monster.com"
| rex field=WindowsIdentity "(?<yourNewField>\w+)\.monster"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, the rex command extracted some important info from the URL. For example,
IIS APPPOOL\career-advice.monster.com should be extracted to career-advice and not channels. Basically, anything that's between \ and monster.com. How should I fix that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
This regex is a bit greedy but its doing exactly what you ask:
| makeresults
| eval WindowsIdentity = "IIS APPPOOL\career-advice.monster.com"
| rex field=WindowsIdentity "\\\\(?<yourNewField>.*)\.monster"
If you need another regex that is a bit more safe you can use this one :
| makeresults
| eval WindowsIdentity = "IIS APPPOOL\career-advice.monster.com"
| rex field=WindowsIdentity "\\\\(?<yourNewField>[\w\-\.]+)\.monster"
And if it's not matching a particular character you can add it to this part [\w\-\.]+
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep. I like @KailA 's last one best. I'm suffering from \\ (backslash-backslash) whiplash. 🐵 Suggest letting https://regex101.com/ help you get to the end of it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rex field=WindowsIdentity "IIS APPPOOL\\(?P<yourNewField>[.\w]+).monster"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got Error in 'rex' command: Encountered the following error while compiling the regex 'IIS APPPOOL(?P[.\w]+).monster': Regex: unmatched closing parenthesis
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
