Re: How to modify a regular expression for a field...

sujith0311 · ‎01-31-2017

Hi all,

Jan 29 03:08:45 wmcloudsftp internal-sftp[7257]: close "/datafeed/GetPerfLogPREPRODD" bytes read 0 written 317555

For the above content i need a regular expression from bytes read 0 written 317555. I added a name field for it as ACTIVITY. The regular expression i can get is ^(?:[^ \n]* ){7}(?P.+)

How can i change the name ACTIVITY into a proper regular expression to get bytes read 0 written 317555 when i enter a field

I have a query in which i want to add a regular expression where it can display the events with bytes read 0 written 317555. So i need a regular expression which i can add it to this query
index=sftp USER=gradydftsftpdata SESSION_ID= | table USER, SESSION_ID,USER_IP,date_hour,_time | dedup SESSION_ID,USER_IP| join type=left max=2 SESSION_ID [search index=sftp SESSION_ID= date_hour=* ACTION="open" OR ACTION="close" | table SESSION_ID, FILE_NAME, _time, USER_IP, ACTION] | table FILE_NAME,USER, SESSION_ID,USER_IP,date_hour,_time,ACTION.

Wih this query i get the content that i needed. But along with that content i need to display any session_id that content bytes read 0 written 317555 in it.

Thank you.

woodcock · ‎03-03-2017

Like this:

... | rex field=raw "(?<ACTIVITY>bytes read (?<BYTES_READ>\d+) written (?<BYTES_WRITTEN>\d+))"

DalJeanis · ‎01-31-2017

You didn't say whether that information was coming out of the left or right secions of that join.

I'm going to assume it comes out of the initial search. Move the code down to the subsearch if it comes out of the second one.

index=sftp USER=gradydftsftpdata SESSION_ID="whatever you had here"
| rex  field=_raw "(?<ACTIVITY>bytes read\s+\d+\s+written\s+\d+)\b"
| eval ACTIVITY=coalesce(ACTIVITY," ")
| table USER, SESSION_ID, USER_IP, date_hour ,_time, ACTIVITY 
| dedup SESSION_ID, USER_IP
| join type=left max=2 SESSION_ID 
   [search index=sftp SESSION_ID= date_hour=* ACTION="open" OR ACTION="close" 
   | table SESSION_ID, FILE_NAME, _time, USER_IP, ACTION] 
| table FILE_NAME,USER, SESSION_ID,USER_IP,date_hour,_time,ACTION, ACTIVITY

DalJeanis · ‎01-31-2017

make sure to format your code as code (highlight your code and press the button that has 101 010 on it.) Otherwise, any regular expressions will have their angle brackets deleted by the web interface.

somesoni2 · ‎01-31-2017

Give this a try

your base search | rex  "^(\S+\s+){5}(?<ACTIVITY>\w+)\s+\"[^\"]+\"\s+(?<YourField>\w+\s+\w+\s+\d+\s+\w+\d+)"

s2_splunk · ‎01-31-2017

I am not sure I understand this question. Given your sample event, can you provide an example of what you want to do?

sujith0311 · ‎01-31-2017

Thanks for you response.
I have a query in which i want to add a regular expression where it can display the events with bytes read 0 written 317555. So i need a regular expression which i can add it to this query
index=sftp USER=gradydftsftpdata SESSION_ID=* | table USER, SESSION_ID,USER_IP,date_hour,_time | dedup SESSION_ID,USER_IP| join type=left max=2 SESSION_ID [search index=sftp SESSION_ID=* date_hour=* ACTION="open" OR ACTION="close" | table SESSION_ID, FILE_NAME, _time, USER_IP, ACTION] | table FILE_NAME,USER, SESSION_ID,USER_IP,date_hour,_time,ACTION.

Wih this query i get the content that i needed. But along with that content i need to display any session_id that content bytes read 0 written 317555 in it.

s2_splunk · ‎01-31-2017

Ah, OK.
Try adding the following before the first "|" of each search:

| rex field=_raw "(?<ACTIVITY>)\w+\s\d+\s\w+\s\d+)$"

That should give you "read nnn written nnnnn" for each event.

Also change all your "table" commands to "fields", except for the very last one. It will allow your search to complete faster without affecting your results.

sujith0311 · ‎01-31-2017

Hi

index=sftp USER=gradydftsftpdata SESSION_ID=* | rex field=_raw "(?)\w+\s\d+\s\w+\s\d+)$" | fields USER, SESSION_ID,USER_IP,date_hour,_time | dedup SESSION_ID,USER_IP | join type=left max=2 SESSION_ID [search index=sftp SESSION_ID=* date_hour=* ACTION="open" OR ACTION="close"| rex field=_raw "(?)\w+\s\d+\s\w+\s\d+)$" | fields SESSION_ID, FILE_NAME, _time, USER_IP, ACTION] | rex field=_raw "(?)\w+\s\d+\s\w+\s\d+)$"| table FILE_NAME,USER, SESSION_ID,USER_IP,date_hour,_time,ACTION

Is this the correct way to join the regular expression??

s2_splunk · ‎01-31-2017

Yes, although it looks like the forum removed your fieldname in angle brackets after the question mark.
just try this to test that the filed contains what you want:
index=sftp USER=gradydftsftpdata SESSION_ID=* | rex field=_raw "(?<ACTIVITY>)\w+\s\d+\s\w+\s\d+)$" | head 100

sujith0311 · ‎01-31-2017

Error in 'rex' command: Encountered the following error while compiling the regex '(?)\w+\s\d+\s\w+\s\d+)$': Regex: unmatched parentheses

I found out that error . Is that something i'm i missing in that query ??

s2_splunk · ‎01-31-2017

Sorry, my bad. Please remove the extra ")" right after ACTIVITY and try again

How to modify a regular expression for a field?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)