Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a regex syntax for undefined number of characters?

jenniferleenyc
Engager
‎07-25-2016 12:51 PM

I need to get commonName for ISSUER NAME but there are multiple issues: there are more than one commonName(one for ISSUER NAME and another for SUBJECT NAME), commonName position below ISSUER NAME is not fixed, and commonName will sometimes be a string of words with spaces between them. Is there a syntax for an indefinite number of characters and a syntax for scanning a string of words and spaces?

Data:
(0)ISSUER NAME

countryName US
organizationName Lucky Stars
commonName Dev Lucky Stars Internal PKI Firmwide Generic Issuing CA 6
(0)SUBJECT NAME

countryName US
stateOrProvinceName New York
localityName New York
organizationName Lucky Stars
commonName iklabnac04.ms.com
emailAddress mike.ng@luckystars.com
(0)Valid From May 26 03:33:39 2016 GMT
(0)Valid Till May 26 03:33:39 2018 GMT

Tags (1)
0 Karma
Reply

sundareshr
Legend
‎07-25-2016 01:05 PM

Try this. There can be more than 2 commonName, adjust the max_match count and eval statements accordingly.

.... | rex max_match=2 "(?<commonName>commonName[^\t\n]+)"  | eval commonName_Issuer=mvindex(commonName, 0) | eval commonName_Subject=mvindex(commonName, 1) | ...
0 Karma
Reply

jenniferleenyc
Engager
‎07-25-2016 01:53 PM

I'm a little unfamiliar with regex syntax. What do the "..." and pipes indicate? What do I replace the "..." with?

0 Karma
Reply

sundareshr
Legend
‎07-25-2016 01:57 PM

the ... just means etc. At the begining it is your base search, like this

index=nameofyourindex sourcetype=nameofsourcetype | rex max_match=2 "(?<commonName>commonName[^\t\n]+)"  | eval commonName_Issuer=mvindex(commonName, 0) | eval commonName_Subject=mvindex(commonName, 1) | table _time commonName_Issuer commonName_Subject
0 Karma
Reply

jenniferleenyc
Engager
‎07-25-2016 02:04 PM

This looks like a search string for Search&Reporting. Can I also put this string in the extraction/transform field?

0 Karma
Reply

sundareshr
Legend
‎07-25-2016 02:26 PM

If you want the regex for the extraction/transform field, you can use the following in your props & transforms

*props*

[unique_stanza_name]
REPORT-common = commName_extract

*transforms*

[commName_extract]
REGEX=(?<commonName>commonName[^\t\n]+)
MV_ADD = true
0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎07-25-2016 01:03 PM

Give this a try

your base search | rex "commonName (?<commonName>(\S+\s*)+)"
0 Karma
Reply

jenniferleenyc
Engager
‎07-25-2016 01:19 PM

would this be an inline command?

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎07-25-2016 01:55 PM

Yes, this would be added to your current search. Post the search you're using if you've any confusion where it should be added.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-25-2016 01:02 PM

Is the commonName field always prefixed by "commonName"?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...