Splunk Search

How to modify a regular expression for a field?

sujith0311
New Member

Hi all,

Jan 29 03:08:45 wmcloudsftp internal-sftp[7257]: close "/datafeed/GetPerfLogPREPRODD" bytes read 0 written 317555

For the above content i need a regular expression from bytes read 0 written 317555. I added a name field for it as ACTIVITY. The regular expression i can get is ^(?:[^ \n]* ){7}(?P.+)

How can i change the name ACTIVITY into a proper regular expression to get bytes read 0 written 317555 when i enter a field

I have a query in which i want to add a regular expression where it can display the events with bytes read 0 written 317555. So i need a regular expression which i can add it to this query
index=sftp USER=gradydftsftpdata SESSION_ID= | table USER, SESSION_ID,USER_IP,date_hour,_time | dedup SESSION_ID,USER_IP| join type=left max=2 SESSION_ID [search index=sftp SESSION_ID= date_hour=* ACTION="open" OR ACTION="close" | table SESSION_ID, FILE_NAME, _time, USER_IP, ACTION] | table FILE_NAME,USER, SESSION_ID,USER_IP,date_hour,_time,ACTION.

Wih this query i get the content that i needed. But along with that content i need to display any session_id that content bytes read 0 written 317555 in it.

Thank you.

0 Karma

woodcock
Esteemed Legend

Like this:

... | rex field=raw "(?<ACTIVITY>bytes read (?<BYTES_READ>\d+) written (?<BYTES_WRITTEN>\d+))"
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

You didn't say whether that information was coming out of the left or right secions of that join.

I'm going to assume it comes out of the initial search. Move the code down to the subsearch if it comes out of the second one.

index=sftp USER=gradydftsftpdata SESSION_ID="whatever you had here"
| rex  field=_raw "(?<ACTIVITY>bytes read\s+\d+\s+written\s+\d+)\b"
| eval ACTIVITY=coalesce(ACTIVITY," ")
| table USER, SESSION_ID, USER_IP, date_hour ,_time, ACTIVITY 
| dedup SESSION_ID, USER_IP
| join type=left max=2 SESSION_ID 
   [search index=sftp SESSION_ID= date_hour=* ACTION="open" OR ACTION="close" 
   | table SESSION_ID, FILE_NAME, _time, USER_IP, ACTION] 
| table FILE_NAME,USER, SESSION_ID,USER_IP,date_hour,_time,ACTION, ACTIVITY
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

make sure to format your code as code (highlight your code and press the button that has 101 010 on it.) Otherwise, any regular expressions will have their angle brackets deleted by the web interface.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your base search | rex  "^(\S+\s+){5}(?<ACTIVITY>\w+)\s+\"[^\"]+\"\s+(?<YourField>\w+\s+\w+\s+\d+\s+\w+\d+)"
0 Karma

s2_splunk
Splunk Employee
Splunk Employee

I am not sure I understand this question. Given your sample event, can you provide an example of what you want to do?

0 Karma

sujith0311
New Member

Thanks for you response.
I have a query in which i want to add a regular expression where it can display the events with bytes read 0 written 317555. So i need a regular expression which i can add it to this query
index=sftp USER=gradydftsftpdata SESSION_ID=* | table USER, SESSION_ID,USER_IP,date_hour,_time | dedup SESSION_ID,USER_IP| join type=left max=2 SESSION_ID [search index=sftp SESSION_ID=* date_hour=* ACTION="open" OR ACTION="close" | table SESSION_ID, FILE_NAME, _time, USER_IP, ACTION] | table FILE_NAME,USER, SESSION_ID,USER_IP,date_hour,_time,ACTION.

Wih this query i get the content that i needed. But along with that content i need to display any session_id that content bytes read 0 written 317555 in it.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Ah, OK.
Try adding the following before the first "|" of each search:

| rex field=_raw "(?<ACTIVITY>)\w+\s\d+\s\w+\s\d+)$"

That should give you "read nnn written nnnnn" for each event.

Also change all your "table" commands to "fields", except for the very last one. It will allow your search to complete faster without affecting your results.

0 Karma

sujith0311
New Member

Hi

index=sftp USER=gradydftsftpdata SESSION_ID=* | rex field=_raw "(?)\w+\s\d+\s\w+\s\d+)$" | fields USER, SESSION_ID,USER_IP,date_hour,_time | dedup SESSION_ID,USER_IP | join type=left max=2 SESSION_ID [search index=sftp SESSION_ID=* date_hour=* ACTION="open" OR ACTION="close"| rex field=_raw "(?)\w+\s\d+\s\w+\s\d+)$" | fields SESSION_ID, FILE_NAME, _time, USER_IP, ACTION] | rex field=_raw "(?)\w+\s\d+\s\w+\s\d+)$"| table FILE_NAME,USER, SESSION_ID,USER_IP,date_hour,_time,ACTION

Is this the correct way to join the regular expression??

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Yes, although it looks like the forum removed your fieldname in angle brackets after the question mark.
just try this to test that the filed contains what you want:
index=sftp USER=gradydftsftpdata SESSION_ID=* | rex field=_raw "(?<ACTIVITY>)\w+\s\d+\s\w+\s\d+)$" | head 100

0 Karma

sujith0311
New Member

Error in 'rex' command: Encountered the following error while compiling the regex '(?)\w+\s\d+\s\w+\s\d+)$': Regex: unmatched parentheses

I found out that error . Is that something i'm i missing in that query ??

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Sorry, my bad. Please remove the extra ")" right after ACTIVITY and try again

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...