Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex SOS!

sdorich
Communicator
‎02-07-2014 08:37 AM

I'm trying to match everything in quotes in the following log file example. I've been working on this for a while and am desperate!

This regex matches the first item in quotes in a given event (but I want to match everything).

((?:[^ \n]* ){1,8}'(?P<sis_audit_type>[^']+))

I would have thought that this regex works but it gives an error: 

([^]+:[^]+:\s[^]+'(?P<sis_audit_type>[^]+)'){1,5}

My example log file is attached and pasted below. Thanks!alt text

2014-02-03 05:26:53 - User: SiteScope Administrator. Operation performed: logged in.
2014-02-03 10:19:20 - User: SiteScope Administrator. Operation performed: Username and password do not match. Failed to login.
2014-02-03 10:19:24 - User: SiteScope Administrator. Operation performed: logged in.
2014-02-03 11:44:33 - User: SiteScope Administrator. Operation performed: logged in.
2014-02-03 11:53:54 - User: SiteScope Administrator. Operation performed: logged in.
2014-02-03 12:10:17 - User: SiteScope Administrator. Operation performed: Alert 'sound' created in 'SiteScope\Test\google.com'.
2014-02-03 12:10:43 - User: SiteScope Administrator. Operation performed: UPDATE Monitor 'SiteScope\Test\google.com' start:
2014-02-03 12:10:43 - User: SiteScope Administrator. Operation performed: Monitor 'SiteScope\Test\google.com' update: '_classifier2' updated from '' to 'percentGood != 0 error every day, all day'.
2014-02-03 12:10:43 - User: SiteScope Administrator. Operation performed: Monitor 'SiteScope\Test\google.com' update: '_classifier1' updated from 'percentGood == 0 error every day, all day' to ''.
2014-02-03 12:10:43 - User: SiteScope Administrator. Operation performed: UPDATE Monitor 'SiteScope\Test\google.com' end.
2014-02-03 12:10:43 - User: SiteScope Administrator. Operation performed: MANUAL RUN for monitor 'SiteScope\Test\google.com'.
2014-02-03 12:20:18 - User: SiteScope Administrator. Operation performed: MODIFY Acknowledgment on 'SiteScope\Test\google.com' start:
2014-02-03 12:20:18 - User: SiteScope Administrator. Operation performed: Acknowledgment 'ack google' was added to 'SiteScope\Test\google.com'
2014-02-03 12:20:18 - User: SiteScope Administrator. Operation performed: UPDATE Monitor 'SiteScope\Test\google.com' start:
2014-02-03 12:20:18 - User: SiteScope Administrator. Operation performed: UPDATE Monitor 'SiteScope\Test\google.com' end.
2014-02-03 12:20:18 - User: SiteScope Administrator. Operation performed: MODIFY Acknowledgment on 'SiteScope\Test\google.com' end.
2014-02-03 13:22:42 - User: SiteScope Administrator. Operation performed: logged in.
2014-02-03 13:28:00 - User: SiteScope Administrator. Operation performed: logged out.
2014-02-03 13:28:10 - User: . Operation performed: Username and password do not match. Failed to login.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-07-2014 12:58 PM

Try this one.

yourbase search | rex max_match=0 "'(?<sis_audit_type>[^']*)'\s"

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-07-2014 12:58 PM

Try this one.

yourbase search | rex max_match=0 "'(?<sis_audit_type>[^']*)'\s"
Reply
Solved! Jump to solution

sdorich
Communicator
‎02-14-2014 07:32 AM

Thank you! I think that worked pretty well! One question: how can I use that as a regular expression in say props.conf? I tried this:

EXTRACT-Audit Type = '(?[^']*)'\s

but that didn't work.. It seems to only work with the rex search command. Is there something I need to modify to use it in props.conf?

Thanks!

0 Karma
Reply
Solved! Jump to solution

sdorich
Communicator
‎02-07-2014 12:36 PM

Thanks! I tried it and was close but I got everything in b/w the values with quotes. For example, I got this:

ack google' was added to 'SiteScopeTestgoogle.com'

but what I'd really like are the following 2 separate values:

ack google
SSiteScopeTestgoogle.com

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-07-2014 12:30 PM

try this

yourbase search | rex max_match=0 "'(?.*)'" | nomv sis_audit_type

To see if you get correct values.

0 Karma
Reply
Solved! Jump to solution

sdorich
Communicator
‎02-07-2014 11:59 AM

yes. I'd like (if possible) all the values in quotes as a single field.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-07-2014 11:53 AM

You want to get all the values in quotes as a single field?

0 Karma
Reply
Solved! Jump to solution

sdorich
Communicator
‎02-07-2014 10:46 AM

Just added the sample events (each timestamp represents a new event). Thanks!

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎02-07-2014 09:56 AM

It'd be much easier to debug this if you could post sample events as text instead. That way it's easy to try to create a matching regex on http://regexpal.com/ or something similar.

0 Karma
Reply
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

&#x1f48c;Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...