Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

String comparison

jwhughes58
Contributor
‎12-07-2023 01:50 PM

I've got this search

index=main sourcetype="bigfix"
| eval raw=_raw 
| rex mode=sed field=raw "s/\n/ /g" 
| rex field=raw "At \d+:\d+:\d+\s+-0800\s+-(?<message>.*)"
| rex field=message "^(?<message_type>[^:]+):\s"
| eval message_type_ns=replace(message_type, " ", "")
| eval x_message_type=if(message_type == message_type_ns, message_type, "No message type")
| stats count by message_type, message_type_ns, x_message_type

That doesn't appear to be working correctly.  I'm always getting either all true or all false.  This is the output.

"message_type","message_type_ns","x_message_type",count
"     ActionLogMessage",ActionLogMessage,"No message type",240
"     ActiveDirectory",ActiveDirectory,"No message type",128
"     Client has an AuthenticationCertificate    Relay selected",ClienthasanAuthenticationCertificateRelayselected,"No message type",2
"     Client shutdown (Service manager shutdown request) ******************************************** Current Date","Clientshutdown(Servicemanagershutdownrequest)********************************************CurrentDate","No message type",3
"     Encryption",Encryption,"No message type",11
"     Initializing Site",InitializingSite,"No message type",43
"     PollForCommands",PollForCommands,"No message type",13
"     Processing fixlet site. ******************************************** Current Date","Processingfixletsite.********************************************CurrentDate","No message type",1
"     RegisterOnce",RegisterOnce,"No message type",149
"     Report posted successfully ******************************************** Current Date","Reportpostedsuccessfully********************************************CurrentDate","No message type",1
"     Restricted mode    Initializing Site",RestrictedmodeInitializingSite,"No message type",3
"     User interface process disabled for user 'user'    ActiveDirectory","Userinterfaceprocessdisabledforuser'user'ActiveDirectory","No message type",1
"     User interface process disabled for user 'user'    ActiveDirectory","Userinterfaceprocessdisabledforuser'user'ActiveDirectory","No message type",1
"     User interface session ended for user 'user'    User interface session ended for user 'user' ******************************************** Current Date","Userinterfacesessionendedforuser'user'Userinterfacesessionendedforuser'user'********************************************CurrentDate","No message type",1
"     User interface session ended for user 'user'    ActiveDirectory","Userinterfacesessionendedforuser'user'ActiveDirectory","No message type",1
"     User interface session ended for user 'user' ******************************************** Current Date","Userinterfacesessionendedforuser'user'********************************************CurrentDate","No message type",1

When I try this simple case, it works.

| makeresults
| eval string_a="Client shutdown (Service manager shutdown request) ******************************************** Current Date"
| eval string_b="Client_shutdown_(Service_manager_shutdown_request)_********************************************_Current_Date"
| eval my_string=if(string_a == string_b, string_a, string_b)

And the output

_time	my_string	string_a	string_b
2023-12-07 10:14:17	Client_shutdown_(Service_manager_shutdown_request)_********************************************_Current_Date	Client shutdown (Service manager shutdown request) ******************************************** Current Date	Client_shutdown_(Service_manager_shutdown_request)_********************************************_Current_Date

What I'm trying to do is find these

At 09:01:45 -0800 - 
   Encryption: optional encryption with no certificate; reports in cleartext

The above would have message_type=Encryption.  This example

At 09:00:39 -0800 - 
   Starting client version xx.yy.zz.aa
   FIPS mode disabled by default.
   Cryptographic module initialized successfully.
   Using crypto library libBEScrypto - OpenSSL

would have message_type="No message type".  I've tried using colon (:), but there are messages with embedded colons.  Any thoughts on how to solve this are appreciated.

TIA,

Joe

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-07-2023 03:55 PM

From your SPL, it looks like you're trying to access the first line after At as the message type

Have you tried extracting Message type with

| rex field=_raw "(?s)At \d+:\d+:\d+\s+-0800\s+-..\s+(?<message_type>\w+):"

where the .. will match the line feed (you may only need a single dot, depends on the data.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-07-2023 03:55 PM

From your SPL, it looks like you're trying to access the first line after At as the message type

Have you tried extracting Message type with

| rex field=_raw "(?s)At \d+:\d+:\d+\s+-0800\s+-..\s+(?<message_type>\w+):"

where the .. will match the line feed (you may only need a single dot, depends on the data.

 

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...