Splunk Search

Regex for variable extraction

Contributor

50.99.220.89

- 50.99.248.89 - - [12/Jun/2019:08:27:13 -0400] "POST /ccc67/JJ/U7UY/BCFUVGYUYGI11HTTP/1.1" 500 6629
abcdef.us12345

v1
v2

How can I extract v1 and v2 from the events?
v2 always starts with abc and has 5 digit port number.
Please guide, thanks.

0 Karma

Builder

Use the backtick before and after your line to show all special characters

0 Karma

Builder

Hi reverese,
Can you please modify your question using a backtick character before and after your sample line?
But here's what you can do with the rex command:

| rex "^(?<v1>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*(?<v2>abc\S+\d{5})$"

Contributor

can I use single rex to extract both v1 and v2 for each raw line ?

0 Karma

Builder

In most cases, yes. Could you clarify what v1 is and what v2 is in your raw line? Is v1 an ip address? Give me an example of v1 and v2. Thanks.

0 Karma

Contributor

I found the solution.. just added two rex .. it worked. Able to use both variables in my stats command

0 Karma

Builder

Ok, but if v1 = abcdef.us12345 and v2 = abcdef.us:12345 do you really need to differentiate between v1 & v2, or are you just trying to capture the data?

If you don't care you would use:
| rex ".*(?<v1>abc\S+\d{1,5})$"

If you DO care then you would use:
| rex ".*(?<v2>abc[^:]+:\d{1,5})|(?<v1>abc\S+\d{1,5})$"

Contributor

V1 = 50.99.220.89 v2 = abcdef.us:12345

0 Karma

Builder

Much clearer... Definitely no need for 2 rex statements for that. The one I provided above in the answer works on that.

Contributor

i have rex like - rex "(?xxxx|yyyy)"

When using stats by action .. my results are dividing by xxxx and yyyy.

How can I avoid this separation?

0 Karma

Builder

You'll need to write that more clearly, and use the backticks around your rex statement so special characters don't get removed.

What's the whole search? And what does an event look like for that search where the rex matches?

0 Karma

Influencer

yes you can

0 Karma

Contributor

Please guide with the mentioned example raw event

0 Karma

Contributor

updated.. thanks!

0 Karma

Influencer

what is v1 in your example , is it 1.1? and what is value of v2 in above example?

0 Karma

Contributor

abcdef.us12345

0 Karma

Contributor

abcdef.us:12345

0 Karma