Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

REX separator in search string

p_basanth
New Member
‎03-13-2013 01:05 AM

I have 2 separate rex extractions. Both work fine individually. I need to combine both these rex's into single search without using |What is the seperator/delimter for multiple rex in single search

case1 : working fine
|rex extraction1
|rex extraction2

case 2: not working
|rex extraction1, extraction2
|rex (extraction1)(extraction2)
|rex extraction1 extraction2

Tags (1)
0 Karma
Reply

starcher
Influencer
‎03-15-2013 12:27 PM

I usually move my rex extractions to props and transforms once I have them working and if I need them in an ongoing basis. There is no real reason you have to try and combine them into one.

Here is an example where I have syslog from pgp management appliance. Broken out using multiple extracts.

From PROPS.CONF:

[syslog_pgp]
CHECK_FOR_HEADER = 0
SHOULD_LINEMERGE = TRUE
REPORT-uabPGP=pgpclient-extract,pgpuser-extract,pgpdisk-extract,pgpmachine-extract,pgpsrc-    extract-1,pgpsrc-extract-2
pulldown_type = false

Then the stanzas from TRANSFORMS.CONF

[pgpclient-extract]
REGEX = (?:CLIENT-)(?P<client>\d{5})

[pgpuser-extract]
REGEX = (?i: [\[]{0,1}User )(?P<user>[^ \]]+)

[pgpuser-extract-2]
REGEX = (?:attempt for Administrator \")(?P<user>[^ \"]+)

[pgpdisk-extract]
REGEX = (?: on disk )(?P<disk>.+)(?: on )

[pgpmachine-extract]
REGEX = (?: on machine )(?P<machine>[^ ]+)

[pgpsrc-extract-1]
REGEX = (?: from \[)(?P<src_ip>[^\]]+)

[pgpsrc-extract-2]
REGEX = (?: connection from )(?P<src_ip>[^ ]+)
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-13-2013 02:34 AM

You could put both in props.conf/transforms.conf.

0 Karma
Reply

Ayn
Legend
‎03-13-2013 01:12 AM

Why would you need to combine them? Just keeping them separate is easiest and least confusing.

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...