Solved: Regex match till end of event?

Cuyose · ‎08-09-2016

Not sure why I cant find this, but the following is not working.

|rex field=_raw "(?i)response=(?<responseXML>.+)$"

where response= occurs somewhere in the event and always continues to the very end of a multi lined event.

somesoni2 · ‎08-10-2016

Give this a try

 | rex field=_raw "response=(?<responseXML>[\S\s\r\n]*)$"

Option 2

 your base search | eval responseXML=replace(_raw,"^([\S\s\r\n]*)response=","")

View solution in original post

Richfez · ‎08-10-2016

Do you have a sample of one of the difficult, long, multi-line event that we can use for confirmation of potential solutions before posting them?

inventsekar · ‎08-10-2016

we are trying to create the rex query with just our own understanding of your issue.
could you please update us an event, and your current query, please.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

somesoni2 · ‎08-10-2016

Give this a try

 | rex field=_raw "response=(?<responseXML>[\S\s\r\n]*)$"

Option 2

 your base search | eval responseXML=replace(_raw,"^([\S\s\r\n]*)response=","")

Cuyose · ‎08-10-2016

Cool, this worked(Option 1), but its very odd that I had to resort to this, as the first example I tried had worked in many other situations!

dbcase · ‎08-10-2016

Have you tried erex?

http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Erex

Using erex, Splunk will attempt to write the rex pattern for you given your example string(s).

Cuyose · ‎08-10-2016

Unfortunately, while useful for smaller more specific examples, this cannot take multiple 1000 character examples across multiple lines as input.

sundareshr · ‎08-10-2016

Try this

| rex field=_raw "response=(?<msg>[^\t\n]+)"

Cuyose · ‎08-10-2016

this does not work because it only captures to the end of the current line the response= is found in.

sundareshr · ‎08-10-2016

Try this

| rex field=_raw "response=(?<msg>[^\S\t\r\n]+)"

inventsekar · ‎08-10-2016

"(?i)response=(?.+)$" -----

- you should use < and > around the variable - (?<i>) 
- (?<i>) needs to come where it will appear on the event (ie, after the "response=")

and i created few sample events ending with "response=digits"

event 1 - Extract "from" and "to" fields using regular expressions. response=101
event 2 - If a raw event contains "From: Susan To: Bob", then from=Susan and to=Bob, response=404
event 3 - source="tutorialdata.zip:./www1/access.log" response=500

and this query picks up the response codes fine.

sourcetype=responseREX | rex field=_raw "response=(?<i>.*)" | table _raw, i

regarding the end of line $, these below two works same -
response=(?.)
and
response=(?.)$

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

Cuyose · ‎08-10-2016

This only captured the first character after response=

Cuyose · ‎08-10-2016

Sorry, I had that, but I must have missed the code button and it stripped out some things.

This is not working

|rex field=_raw "(?m)Data=(?<xmlData>.+)$"

Regex match till end of event?

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?

Regex match till end of event?

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions