Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

REX separator in search string

p_basanth
New Member
‎03-13-2013 01:05 AM

I have 2 separate rex extractions. Both work fine individually. I need to combine both these rex's into single search without using |What is the seperator/delimter for multiple rex in single search

case1 : working fine
|rex extraction1
|rex extraction2

case 2: not working
|rex extraction1, extraction2
|rex (extraction1)(extraction2)
|rex extraction1 extraction2

Tags (1)
0 Karma
Reply

starcher
Influencer
‎03-15-2013 12:27 PM

I usually move my rex extractions to props and transforms once I have them working and if I need them in an ongoing basis. There is no real reason you have to try and combine them into one.

Here is an example where I have syslog from pgp management appliance. Broken out using multiple extracts.

From PROPS.CONF:

[syslog_pgp]
CHECK_FOR_HEADER = 0
SHOULD_LINEMERGE = TRUE
REPORT-uabPGP=pgpclient-extract,pgpuser-extract,pgpdisk-extract,pgpmachine-extract,pgpsrc-    extract-1,pgpsrc-extract-2
pulldown_type = false

Then the stanzas from TRANSFORMS.CONF

[pgpclient-extract]
REGEX = (?:CLIENT-)(?P<client>\d{5})

[pgpuser-extract]
REGEX = (?i: [\[]{0,1}User )(?P<user>[^ \]]+)

[pgpuser-extract-2]
REGEX = (?:attempt for Administrator \")(?P<user>[^ \"]+)

[pgpdisk-extract]
REGEX = (?: on disk )(?P<disk>.+)(?: on )

[pgpmachine-extract]
REGEX = (?: on machine )(?P<machine>[^ ]+)

[pgpsrc-extract-1]
REGEX = (?: from \[)(?P<src_ip>[^\]]+)

[pgpsrc-extract-2]
REGEX = (?: connection from )(?P<src_ip>[^ ]+)
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-13-2013 02:34 AM

You could put both in props.conf/transforms.conf.

0 Karma
Reply

Ayn
Legend
‎03-13-2013 01:12 AM

Why would you need to combine them? Just keeping them separate is easiest and least confusing.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...