Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a regex syntax for undefined number of characters?

jenniferleenyc
Engager
‎07-25-2016 12:51 PM

I need to get commonName for ISSUER NAME but there are multiple issues: there are more than one commonName(one for ISSUER NAME and another for SUBJECT NAME), commonName position below ISSUER NAME is not fixed, and commonName will sometimes be a string of words with spaces between them. Is there a syntax for an indefinite number of characters and a syntax for scanning a string of words and spaces?

Data:
(0)ISSUER NAME

countryName US
organizationName Lucky Stars
commonName Dev Lucky Stars Internal PKI Firmwide Generic Issuing CA 6
(0)SUBJECT NAME

countryName US
stateOrProvinceName New York
localityName New York
organizationName Lucky Stars
commonName iklabnac04.ms.com
emailAddress mike.ng@luckystars.com
(0)Valid From May 26 03:33:39 2016 GMT
(0)Valid Till May 26 03:33:39 2018 GMT

Tags (1)
0 Karma
Reply

sundareshr
Legend
‎07-25-2016 01:05 PM

Try this. There can be more than 2 commonName, adjust the max_match count and eval statements accordingly.

.... | rex max_match=2 "(?<commonName>commonName[^\t\n]+)"  | eval commonName_Issuer=mvindex(commonName, 0) | eval commonName_Subject=mvindex(commonName, 1) | ...
0 Karma
Reply

jenniferleenyc
Engager
‎07-25-2016 01:53 PM

I'm a little unfamiliar with regex syntax. What do the "..." and pipes indicate? What do I replace the "..." with?

0 Karma
Reply

sundareshr
Legend
‎07-25-2016 01:57 PM

the ... just means etc. At the begining it is your base search, like this

index=nameofyourindex sourcetype=nameofsourcetype | rex max_match=2 "(?<commonName>commonName[^\t\n]+)"  | eval commonName_Issuer=mvindex(commonName, 0) | eval commonName_Subject=mvindex(commonName, 1) | table _time commonName_Issuer commonName_Subject
0 Karma
Reply

jenniferleenyc
Engager
‎07-25-2016 02:04 PM

This looks like a search string for Search&Reporting. Can I also put this string in the extraction/transform field?

0 Karma
Reply

sundareshr
Legend
‎07-25-2016 02:26 PM

If you want the regex for the extraction/transform field, you can use the following in your props & transforms

*props*

[unique_stanza_name]
REPORT-common = commName_extract

*transforms*

[commName_extract]
REGEX=(?<commonName>commonName[^\t\n]+)
MV_ADD = true
0 Karma
Reply

somesoni2
Revered Legend
‎07-25-2016 01:03 PM

Give this a try

your base search | rex "commonName (?<commonName>(\S+\s*)+)"
0 Karma
Reply

jenniferleenyc
Engager
‎07-25-2016 01:19 PM

would this be an inline command?

0 Karma
Reply

somesoni2
Revered Legend
‎07-25-2016 01:55 PM

Yes, this would be added to your current search. Post the search you're using if you've any confusion where it should be added.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-25-2016 01:02 PM

Is the commonName field always prefixed by "commonName"?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Hello Splunkers, Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...

Community Spotlight: A Splunk Expert's Journey

In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
Top