Splunk Search

Regex Issue using Rex command?

POR160893
Builder

Hi,

I have a field X with values similar to the following "device-group APCC1_Core_Controller pre-rulebase application-override rules NFS-bypass UDP-1" and "device-group APCC1_Core_Controller pre-rulebase application-override rules" as 2 examples of possible values.

I need to extract the value in between "device_group" and "per_rulebase...." and assign this as Y.
So, if X = "device-group APCC1_Core_Controller pre-rulebase application-override rules NFS-bypass UDP-1"
=> Y = "APCC1_Core_Controller"

If X = "device-group APCC1_Core_Controller pre-rulebase application-override rules"
=> Y = "APCC1_Core_Controller".

What would the rex command be???

Thanks,

Labels (1)
0 Karma

POR160893
Builder

At the moment, I have got this far:

POR160893_0-1663941502560.png
However, I do not want to have "device-group:" included as part of the values.
How can I change my regex?

0 Karma

yuanliu
SplunkTrust
SplunkTrust

If you don't want device-group, don't include it in the parenthesis.  Also, \w is incorrect for your data because your group name often includes dashes as illustrated.  See my other post.

| rex "device-group (?<device_group>\S+)"
0 Karma

POR160893
Builder

So, say I have a field called "M" and some of the values are as follows:

"Panorama push to device:013101010578 for device-group: Durham_IPV6_INET_SVCS succeeded. JobId=2480530"

"Panorama push to device:007257000068919 for device-group: Azure-China-Internet-North succeeded. JobId=2480524"

"Panorama push to device:016401009013 for device-group: Austin_Experience_Lounge succeeded. JobId=2480530"

How can I extract just the first string in between each "....device-group: *** succeeded. ....", where *** represents the respective value to be extracted. In the case of the above 3 examples, the 3 values extracted are "Durham_IPV6_INET_SVCS", "Azure-China-Internet-North" and "Austin_Experience_Lounge" respectively.

I tried using the following Splunk command but got no success  🙄:
|rex "body\s(?<portNumber>\d+)\s"

Any help?

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Ok, there's a colon after "device-group".  So add that.

| rex "device-group: (?<device_group>\S+)"

POR160893
Builder

So, say I have a field called "M" and some of the values are as follows:

"Panorama push to device:013101010578 for device-group: Durham_IPV6_INET_SVCS succeeded. JobId=2480530"

"Panorama push to device:007257000068919 for device-group: Azure-China-Internet-North succeeded. JobId=2480524"

"Panorama push to device:016401009013 for device-group: Austin_Experience_Lounge succeeded. JobId=2480530"

How can I extract just the first string in between each "....device-group: *** succeeded. ....", where *** represents the respective value to be extracted. In the case of the above 3 examples, the 3 values extracted are "Durham_IPV6_INET_SVCS", "Azure-China-Internet-North" and "Austin_Experience_Lounge" respectively.

I tried using the following Splunk command but got no success  🙄:
|rex "body\s(?<portNumber>\d+)\s"

Can you please help?

0 Karma

youngsuh
Contributor

regex101: build, test, and debug regex

Please take a look at this link.  I suggestion use regex101 before put them into splunk.

0 Karma

Azeemering
Builder

1. What have you tried yourself?

2. Can you provide the full event so that I can make an example for you.

0 Karma

POR160893
Builder

The full event is as follows: 

1,2022/09/22 10:01:40,013101004778,SYSTEM,general,2561,2022/09/22 10:01:40,,general,,0,0,general,informational,"Panorama push device-group APCC1_Core_Controller with merge-with-candidate-cfg flags set.JobId=60265.User=Panorama-admjeen_yeong_choong. Dequeue time=2022/09/22 10:01:39. DG version: APCC1_Core_Controller: 11854. ",7136408369296042839,0x8000000000000000,0,0,0,0,,apcc1pafwcc01,0,0,2022-09-22T10:01:40.203+00:00
0 Karma

yuanliu
SplunkTrust
SplunkTrust
extract the value in between "device_group" and "per_rulebase...." and assign this as Y

I speculate that "per_rulebase" is a mistype for "pre_rulebase" as mentioned elsewhere in the OP.  The problem is that this "pre_rulebase" or "per_rulebase" does not seem to be a literal string, according to the sample event; it appears to be an application/industry specific term related to this source, something like "with merge-with-candidate-cfg flags".  If this correct, you cannot expect people in a Splunk forum to intuit what "pre_rulebase" (or per_rulebase) stands for.

On superficial observation, the "Y" you are trying to extract is really just the name of device group.  If this name cannot contain spaces, you can simply do

| rex "device_group (?<device_group>\S+)"

If the name may contain space, but the "pre_rulebase" always begins with keyword "with" as exemplified in the sample event, you can do something like

| rex "device_group (?<device_group>.+) with "

Of course, this second form has a larger chance of overreaching because the word "with" may appear in some other content of the event.  You have to find some pattern to reduce such chances.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...