Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Matching two expressions to one field

markmcd
Path Finder
‎04-29-2013 05:48 AM

I am trying to extract a field from logs that look like this:

Apr 28 07:45:22.992 On [2:18]20.5.4.1:5070 sent to 102.11.130.135:50953 
...
Apr 28 07:45:22.992 On [0:51]10.20.33.50:5060 received from 10.20.1.1:59758 
...

The fields I'm trying to extract are source & destination IPs for each entry. So for source_ip, it's 20.5.4.1 and 10.2.1.1. For the destination, it's 102.11.130.135 & 10.20.33.50.

It looks like I need a regex that matches a field that 'begins with "sent to" OR ends with "received from"' and vice-versa but I can't for the life of me get the regex to work.

I tried to use prefixes but ended up with some nasty regexes that just don't work.

(?i)([^\]\n]*\]|received from )(?P<FIELDNAME>\d+\.\d+\.\d+\.\d+:\d+)

Can I do this with Splunk? Is it possible to use two regexes to extract to one field?

Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎04-29-2013 06:00 AM

Sure. You could either simply use two separate field extraction rules that both write their results to a field with the same name, or you could use one extraction regex that picks up both cases. I think the first approach is way better so I'll just cover that.

Simply create an extraction like you would otherwise (field extraction tool in Splunk web, extractions in the Manager, props.conf / transforms.conf...) and then create another one for your 2nd case, and use the same field name for them both. This is the simplest and in my opinion best approach, because you don't have to build an overly complex regex to cover for two different types of matches.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎04-29-2013 06:00 AM

Sure. You could either simply use two separate field extraction rules that both write their results to a field with the same name, or you could use one extraction regex that picks up both cases. I think the first approach is way better so I'll just cover that.

Simply create an extraction like you would otherwise (field extraction tool in Splunk web, extractions in the Manager, props.conf / transforms.conf...) and then create another one for your 2nd case, and use the same field name for them both. This is the simplest and in my opinion best approach, because you don't have to build an overly complex regex to cover for two different types of matches.

Reply
Solved! Jump to solution

ektasardana
Explorer
‎10-13-2017 02:12 PM

I tried to do the same as mentioned above but it says the field name already exists. How should I proceed?

0 Karma
Reply
Solved! Jump to solution

Yorokobi
SplunkTrust
SplunkTrust
‎10-13-2017 03:49 PM

You cannot use a field name twice in a | rex statement:

index=_internal | rex "\d{3} (?<hostname>[^\ ]+) (?<hostname>[^\ ]+)"

To do something like that, you need two separate | rexes in your SPL:

index=_internal | rex "\d{3} (?<hostname>[^\ ]+)" | rex "\d{3} \w+ (?<hostname>[^\ ]+)"

To do this in props.conf (note the double field name extraction here :D) :

EXTRACT-order_no1   = Order (N|n)o: (?<order_no>(?<dw_order_no>\d+))
EXTRACT-order_no2   = <original-order-no>(?<order_no>(?<dw_order_no>\d+))
EXTRACT-order_no3   = <current-order-no>(?<order_no>(?<dw_order_no>\d+))
EXTRACT-order_no4   = ORDER_NO: (?<order_no>(?<dw_order_no>\d+))
EXTRACT-order_no5   = "ORDR":"(?<order_no>(?<dw_order_no>\d+))
EXTRACT-order_no6   = ORDR=(?<order_no>(?<dw_order_no>\d+))
EXTRACT-order_no7   = "orderNumber": "(?<order_no>(?<dw_order_no>\d+))
EXTRACT-order_no8   = order\/detail\/(?<order_no>(?<dw_order_no>\d+))

As with | rex you can only extract the name once per line but you can have many lines with to repeat the field name (?<field_name_here>...)

Reply
Solved! Jump to solution

ektasardana
Explorer
‎10-13-2017 04:16 PM

This worked. Thank you:)

0 Karma
Reply
Solved! Jump to solution

markmcd
Path Finder
‎05-01-2013 05:02 AM

For any future searchers, this needs to be in a conf file (e.g. etc/users/admin/search/local/props.conf) with the left-hand side of the '=' being unique, but the RHS using the same (?P.+)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...