Solved: Re: Multiple REX from single search

MasterOogway · ‎07-30-2012

I have some sendmail logs that send the following different entries within the data streams:

disposition=abc123

disposition=abc123, followed by some stuff.

disposition=xyz-123

disposition=xyz-123, followed by some stuff.

And I need to build one REX statement that allows me to call what comes after the "=" sign an errorcode. How can define multiple REX's from one search string?

Here is an example that works, but also pulls too much information after location the errorcode.

index=sendmail | rex "disposition=(?.*?)$" < ---sorry, the editor won't define my angle bracket, word, angle bracket that is between the first ? and the second?

It pulls everything after the errorcode including addtional characters, words and numbers and I need to grab strong text only.

Any thoughts on how to build a multi REX statement within one search query and defining each found errorcode as an incident?

richgalloway · ‎07-30-2012

Perhaps something like "disposition=(?P[^\n,]*),?" will help.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎07-30-2012

Perhaps something like "disposition=(?P[^\n,]*),?" will help.

---
If this reply helps you, Karma would be appreciated.

Multiple REX from single search

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...