Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Problems with extracting fields
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SplunkUser5888
Path Finder
04-07-2014
03:58 AM
Hey guys,
I'm trying to use regular expressions but can't get my head around it. I'm receiving lines such as:
u'C:\\Users\\User\\Downloads\\pyClamd-0.3.4\\SplunkClam\\Virus_txt\\Virus': ('FOUND', 'Eicar-Test-Signature')
u'C:\\Users\\User\\Downloads\\pyClamd-0.3.4\\SplunkClam\\Virus_zip_pass\\Virus.zip': ('FOUND', 'Heuristics.Encrypted.Zip')
u'C:\\Users\\User\\Downloads\\pyClamd-0.3.4\\SplunkClam\\Virus_txt\\Virus': ('FOUND', 'Eicar-Test-Signature')
u'C:\\Users\\User\\Downloads\\pyClamd-0.3.4\\SplunkClam\\pyclamd.pyc': ('FOUND', 'Eicar-Test-Signature-1')
u'C:\\Users\\User\\Downloads\\pyClamd-0.3.4\\SplunkClam\\Virus_zip_pass\\Virus.zip': ('FOUND', 'Heuristics.Encrypted.Zip')
and would like to extract the destination and the ('FOUND' 'VIRUS_NAME') fields separately to create an app. Any help would be greatly appreciated.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
04-07-2014
04:15 AM
Hi SplunkUser5888,
somehting like this should get you started:
YourBaseSearchHere | rex field="_raw" "'(?<myDest>.+)'\:\s\('(?<myFound>.+)'\,\s'(?<myVirus>.+)'" | table myDest, myFound, myVirus
this will create a table of three fields for you:
myDest=C:\\Users\\User\\Downloads\\pyClamd-0.3.4\\SplunkClam\\Virus_zip_pass\\Virus.zipmyFound=FOUNDmyVirus=Eicar-Test-Signature-1
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
04-07-2014
04:15 AM
Hi SplunkUser5888,
somehting like this should get you started:
YourBaseSearchHere | rex field="_raw" "'(?<myDest>.+)'\:\s\('(?<myFound>.+)'\,\s'(?<myVirus>.+)'" | table myDest, myFound, myVirus
this will create a table of three fields for you:
myDest=C:\\Users\\User\\Downloads\\pyClamd-0.3.4\\SplunkClam\\Virus_zip_pass\\Virus.zipmyFound=FOUNDmyVirus=Eicar-Test-Signature-1
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
04-07-2014
05:17 AM
thx and you're welcome
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SplunkUser5888
Path Finder
04-07-2014
05:15 AM
your answer works miles better than my tweak, I've marked this as answered, thank you
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
