Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to modify a regular expression for a field?

sujith0311
New Member
‎01-31-2017 10:21 AM

Hi all,

Jan 29 03:08:45 wmcloudsftp internal-sftp[7257]: close "/datafeed/GetPerfLogPREPRODD" bytes read 0 written 317555

For the above content i need a regular expression from bytes read 0 written 317555. I added a name field for it as ACTIVITY. The regular expression i can get is ^(?:[^ \n]* ){7}(?P.+)

How can i change the name ACTIVITY into a proper regular expression to get bytes read 0 written 317555 when i enter a field

I have a query in which i want to add a regular expression where it can display the events with bytes read 0 written 317555. So i need a regular expression which i can add it to this query
index=sftp USER=gradydftsftpdata SESSION_ID= | table USER, SESSION_ID,USER_IP,date_hour,_time | dedup SESSION_ID,USER_IP| join type=left max=2 SESSION_ID [search index=sftp SESSION_ID= date_hour=* ACTION="open" OR ACTION="close" | table SESSION_ID, FILE_NAME, _time, USER_IP, ACTION] | table FILE_NAME,USER, SESSION_ID,USER_IP,date_hour,_time,ACTION.

Wih this query i get the content that i needed. But along with that content i need to display any session_id that content bytes read 0 written 317555 in it.

Thank you.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-03-2017 09:15 PM

Like this:

... | rex field=raw "(?<ACTIVITY>bytes read (?<BYTES_READ>\d+) written (?<BYTES_WRITTEN>\d+))"
0 Karma
Reply

DalJeanis
Legend
‎01-31-2017 03:19 PM

You didn't say whether that information was coming out of the left or right secions of that join.

I'm going to assume it comes out of the initial search. Move the code down to the subsearch if it comes out of the second one.

index=sftp USER=gradydftsftpdata SESSION_ID="whatever you had here"
| rex  field=_raw "(?<ACTIVITY>bytes read\s+\d+\s+written\s+\d+)\b"
| eval ACTIVITY=coalesce(ACTIVITY," ")
| table USER, SESSION_ID, USER_IP, date_hour ,_time, ACTIVITY 
| dedup SESSION_ID, USER_IP
| join type=left max=2 SESSION_ID 
   [search index=sftp SESSION_ID= date_hour=* ACTION="open" OR ACTION="close" 
   | table SESSION_ID, FILE_NAME, _time, USER_IP, ACTION] 
| table FILE_NAME,USER, SESSION_ID,USER_IP,date_hour,_time,ACTION, ACTIVITY
0 Karma
Reply

DalJeanis
Legend
‎01-31-2017 03:05 PM

make sure to format your code as code (highlight your code and press the button that has 101 010 on it.) Otherwise, any regular expressions will have their angle brackets deleted by the web interface.

0 Karma
Reply

somesoni2
Revered Legend
‎01-31-2017 10:53 AM

Give this a try

your base search | rex  "^(\S+\s+){5}(?<ACTIVITY>\w+)\s+\"[^\"]+\"\s+(?<YourField>\w+\s+\w+\s+\d+\s+\w+\d+)"
0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎01-31-2017 10:52 AM

I am not sure I understand this question. Given your sample event, can you provide an example of what you want to do?

0 Karma
Reply

sujith0311
New Member
‎01-31-2017 11:14 AM

Thanks for you response.
I have a query in which i want to add a regular expression where it can display the events with bytes read 0 written 317555. So i need a regular expression which i can add it to this query
index=sftp USER=gradydftsftpdata SESSION_ID=* | table USER, SESSION_ID,USER_IP,date_hour,_time | dedup SESSION_ID,USER_IP| join type=left max=2 SESSION_ID [search index=sftp SESSION_ID=* date_hour=* ACTION="open" OR ACTION="close" | table SESSION_ID, FILE_NAME, _time, USER_IP, ACTION] | table FILE_NAME,USER, SESSION_ID,USER_IP,date_hour,_time,ACTION.

Wih this query i get the content that i needed. But along with that content i need to display any session_id that content bytes read 0 written 317555 in it.

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎01-31-2017 01:45 PM

Ah, OK.
Try adding the following before the first "|" of each search:

| rex field=_raw "(?<ACTIVITY>)\w+\s\d+\s\w+\s\d+)$"

That should give you "read nnn written nnnnn" for each event.

Also change all your "table" commands to "fields", except for the very last one. It will allow your search to complete faster without affecting your results.

0 Karma
Reply

sujith0311
New Member
‎01-31-2017 02:08 PM

Hi 

index=sftp USER=gradydftsftpdata SESSION_ID=* | rex field=_raw "(?)\w+\s\d+\s\w+\s\d+)$" | fields USER, SESSION_ID,USER_IP,date_hour,_time | dedup SESSION_ID,USER_IP | join type=left max=2 SESSION_ID [search index=sftp SESSION_ID=* date_hour=* ACTION="open" OR ACTION="close"| rex field=_raw "(?)\w+\s\d+\s\w+\s\d+)$" | fields SESSION_ID, FILE_NAME, _time, USER_IP, ACTION] | rex field=_raw "(?)\w+\s\d+\s\w+\s\d+)$"| table FILE_NAME,USER, SESSION_ID,USER_IP,date_hour,_time,ACTION

Is this the correct way to join the regular expression??

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎01-31-2017 02:41 PM

Yes, although it looks like the forum removed your fieldname in angle brackets after the question mark.
just try this to test that the filed contains what you want:
index=sftp USER=gradydftsftpdata SESSION_ID=* | rex field=_raw "(?<ACTIVITY>)\w+\s\d+\s\w+\s\d+)$" | head 100

0 Karma
Reply

sujith0311
New Member
‎01-31-2017 02:46 PM

Error in 'rex' command: Encountered the following error while compiling the regex '(?)\w+\s\d+\s\w+\s\d+)$': Regex: unmatched parentheses

I found out that error . Is that something i'm i missing in that query ??

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎01-31-2017 03:03 PM

Sorry, my bad. Please remove the extra ")" right after ACTIVITY and try again

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
li.common.scroll-to.top