Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a query to use regex on the basis of if statement?

Abhineet
Loves-to-Learn Everything
‎06-12-2023 09:22 AM

HI, 

I am looking for splunk query to use regex on the basis of if statement.

Query: 

index=jfrog_index "org.artifactory.security.AccessLogger" NOT "127.0.0.1"
| rex field=_raw ".*AccessLogger \[(?<action>[\w\s]+)\].*"|dedup action|search action = "ACCEPTED*" | table action

OUTPUT: 

action

ACCEPTED DOWNLOAD
ACCEPTED LOGIN
ACCEPTED DELETE
ACCEPTED DEPLOY
ACCEPTED UPDATE
ACCEPTED PROPERTY_UPDATED
ACCEPTED CONFIGURATION_CHANGE
ACCEPTED BUILD_CREATE
 

 

i want to use separate regex on the basis of action value with if condition so event matches with action mentioned above apply particular regex and filter out the information.

As on the basis of action event format is different.

for example:

if (action = "ACCEPTED DOWNLOAD",<regex1>)

if(action = "ACCEPTED LOGIN", <regex2>)

regex1 = .*[\s]+\d+ (?<time>[\d:]+) (?<HOST>[\w\d]+) \[(?<date>[\d-]+)T.*\].*AccessLogger \[.*\] (?<repo>[\w-]+):(?<package>.*) for client : (?<user>[\_\w\-\d]+) \/ (?<userIp>.*)\.

Provide me Splunk query for above example to extract information for different format event for different action type.

Thanks

Abhineet Kumar

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-12-2023 09:29 AM

Hi @Abhineet,

make the two regex extractions and then the if condition, something like this:

| rex ".*[\s]+\d+ (?<time1>[\d:]+) (?<HOST1>[\w\d]+) \[(?<date1>[\d-]+)T.*\].*AccessLogger \[.*\] (?<repo1>[\w-]+):(?<package1>.*) for client : (?<user1>[\_\w\-\d]+) \/ (?<userIp1>.*)\."
| rex ".*[\s]+\d+ (?<time2>[\d:]+) (?<HOST2>[\w\d]+) \[(?<date2>[\d-]+)T.*\].*AccessLogger \[.*\] (?<repo2>[\w-]+):(?<package2>.*) for client : (?<user2>[\_\w\-\d]+) \/ (?<userIp2>.*)\."
| eval 
   time=if(action="ACCEPTED DOWNLOAD",time1,time2),
   HOST=if(action="ACCEPTED DOWNLOAD",HOST1,HOST2),
   ...

 you didn't shared regex 2, so I used the same regex to display the approach.

Ciao.

Giuseppe

0 Karma
Reply

Abhineet
Loves-to-Learn Everything
‎06-12-2023 09:38 AM

HI @gcusello !

For all "action" we have separate regex, we want to use regex inside if condition on the basis of "action" matched.

so that it extract information from event that belongs to particular "action".

for example:

if (action = "ACCEPTED UPDATE", <apply regex3 to events matches with action)

if condition satisfied  for event apply regex on that event, if not satisfied for event nothing to do.

Thanks

Abhineet  

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-12-2023 11:32 PM

Hi @Abhineet ,

as @inventsekar said, it isn't possible to insert a regex in an if statement, the only approach is the one I described, or the solution from @inventsekar .

Ciao.

Giuseppe

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-12-2023 09:43 PM

Hi @Abhineet .. running rex inside if condition looks like not possible.. but you can do like.. run two rex and then use the if condition to select your fields. (I just copy paste gcusello's SPL, adding ur base query)

pls update your rex2 and then whats your if condition requirement, then we can edit this SPL to match your requirement.

index=jfrog_index "org.artifactory.security.AccessLogger" NOT "127.0.0.1"
| rex field=_raw ".*AccessLogger \[(?<action>[\w\s]+)\].*"|dedup action|search action = "ACCEPTED*" 
| rex ".*[\s]+\d+ (?<time1>[\d:]+) (?<HOST1>[\w\d]+) \[(?<date1>[\d-]+)T.*\].*AccessLogger \[.*\] (?<repo1>[\w-]+):(?<package1>.*) for client : (?<user1>[\_\w\-\d]+) \/ (?<userIp1>.*)\."
| rex ".*[\s]+\d+ (?<time2>[\d:]+) (?<HOST2>[\w\d]+) \[(?<date2>[\d-]+)T.*\].*AccessLogger \[.*\] (?<repo2>[\w-]+):(?<package2>.*) for client : (?<user2>[\_\w\-\d]+) \/ (?<userIp2>.*)\."
| eval 
   time=if(action="ACCEPTED DOWNLOAD",time1,time2),
   HOST=if(action="ACCEPTED DOWNLOAD",HOST1,HOST2),

  

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
li.common.scroll-to.top