Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

REX separator in search string

p_basanth
New Member
‎03-13-2013 01:05 AM

I have 2 separate rex extractions. Both work fine individually. I need to combine both these rex's into single search without using |What is the seperator/delimter for multiple rex in single search

case1 : working fine
|rex extraction1
|rex extraction2

case 2: not working
|rex extraction1, extraction2
|rex (extraction1)(extraction2)
|rex extraction1 extraction2

Tags (1)
0 Karma
Reply

starcher
Influencer
‎03-15-2013 12:27 PM

I usually move my rex extractions to props and transforms once I have them working and if I need them in an ongoing basis. There is no real reason you have to try and combine them into one.

Here is an example where I have syslog from pgp management appliance. Broken out using multiple extracts.

From PROPS.CONF:

[syslog_pgp]
CHECK_FOR_HEADER = 0
SHOULD_LINEMERGE = TRUE
REPORT-uabPGP=pgpclient-extract,pgpuser-extract,pgpdisk-extract,pgpmachine-extract,pgpsrc-    extract-1,pgpsrc-extract-2
pulldown_type = false

Then the stanzas from TRANSFORMS.CONF

[pgpclient-extract]
REGEX = (?:CLIENT-)(?P<client>\d{5})

[pgpuser-extract]
REGEX = (?i: [\[]{0,1}User )(?P<user>[^ \]]+)

[pgpuser-extract-2]
REGEX = (?:attempt for Administrator \")(?P<user>[^ \"]+)

[pgpdisk-extract]
REGEX = (?: on disk )(?P<disk>.+)(?: on )

[pgpmachine-extract]
REGEX = (?: on machine )(?P<machine>[^ ]+)

[pgpsrc-extract-1]
REGEX = (?: from \[)(?P<src_ip>[^\]]+)

[pgpsrc-extract-2]
REGEX = (?: connection from )(?P<src_ip>[^ ]+)
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-13-2013 02:34 AM

You could put both in props.conf/transforms.conf.

0 Karma
Reply

Ayn
Legend
‎03-13-2013 01:12 AM

Why would you need to combine them? Just keeping them separate is easiest and least confusing.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...