Splunk Search

How to perform targeted searches on rex fields?

samsam48
Explorer

I have some unstructured events, and I've been using rex field to create a variety of fields to better organize everything. Is there a way to use these fields in the search itself? For examples, I currently have a query like:

sourcetype=ServerA (word1 OR word2 OR word3) | rex field=_raw "] (?<error_location>.*?) " | error_location NOT "theMainFile"

Is it possible to now use this error_location field in the same query to better refine the search? Currently, my approach doesn't work.

Any suggestions would be appreciated.

Tags (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi samsam48,
a field extracted using a rex command can be used like the other fields:

 sourcetype=ServerA (word1 OR word2 OR word3) 
| rex field=_raw "] (?<error_location>.*?) " 
| search error_location!="theMainFile"

In addition, I suggest to use always index in your searches

Bye.
Giuseppe

View solution in original post

arns
New Member

You could try:

sourcetype=ServerA (word1 OR word2 OR word3) | rex field=_raw "] (?.*?) " | search error_location !="theMainFile"

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi samsam48,
a field extracted using a rex command can be used like the other fields:

 sourcetype=ServerA (word1 OR word2 OR word3) 
| rex field=_raw "] (?<error_location>.*?) " 
| search error_location!="theMainFile"

In addition, I suggest to use always index in your searches

Bye.
Giuseppe

View solution in original post

samsam48
Explorer

Hi Cusello,

This worked, but does this always extend to multiple searches? If I had another rex field could I also apply a search to it while still keeping the search for error_location?

Also, what do you mean always index in my searches? How would I change my query?'

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi samsam48,
you can use more fields in the search command with boolean operators (remember that no operator means AND).

You can use more times the rex command in a search or extract more fields in the same rex and use all of them in the following search command, e.g.

my_search
| rex "regex extracting field1"
| rex "regex extracting field2"
| rex "regex extracting field3"
| search field1=value1 field2=value2 field3=value3

You have two way to extract fields:

  • using field extractor
  • using the rex command

the first one is related to a single sourcetype and permits to extract a field one time and use it in every search;
the second one isn't related to a sourcetype and applicable to all the results of a search not depending on the sourcetype, but must be extracted in every search.

Remember that for performaces it's better to have the search parameters as left as you can, so (if possible) it's better to extract a field out of the search and use it in the main search without declaring it in the regex.

About the index, it's better to use the index parameter in every search to have more performant searches, because if you don't declare it (also more than one) Splunk runs you search in all the indexes of the default search path instead the one you want, in addition you could not find results if your index isn't in the default search path, declared for your user's role (if you're using admin you have in the default search path all the indexes), e.g. in your search

index=my_index sourcetype=ServerA (word1 OR word2 OR word3)
...

See at http://docs.splunk.com/Documentation/Splunk/7.1.2/Search/GetstartedwithSearch

Bye.
Giuseppe
P.S.. if you're satisfied by this answer acept and/or upvote it.

0 Karma

493669
Super Champion

can you share your sample event

0 Karma