Splunk Search

String comparison

jwhughes58
Contributor

I've got this search

index=main sourcetype="bigfix"
| eval raw=_raw 
| rex mode=sed field=raw "s/\n/ /g" 
| rex field=raw "At \d+:\d+:\d+\s+-0800\s+-(?<message>.*)"
| rex field=message "^(?<message_type>[^:]+):\s"
| eval message_type_ns=replace(message_type, " ", "")
| eval x_message_type=if(message_type == message_type_ns, message_type, "No message type")
| stats count by message_type, message_type_ns, x_message_type

That doesn't appear to be working correctly.  I'm always getting either all true or all false.  This is the output.

"message_type","message_type_ns","x_message_type",count
"     ActionLogMessage",ActionLogMessage,"No message type",240
"     ActiveDirectory",ActiveDirectory,"No message type",128
"     Client has an AuthenticationCertificate    Relay selected",ClienthasanAuthenticationCertificateRelayselected,"No message type",2
"     Client shutdown (Service manager shutdown request) ******************************************** Current Date","Clientshutdown(Servicemanagershutdownrequest)********************************************CurrentDate","No message type",3
"     Encryption",Encryption,"No message type",11
"     Initializing Site",InitializingSite,"No message type",43
"     PollForCommands",PollForCommands,"No message type",13
"     Processing fixlet site. ******************************************** Current Date","Processingfixletsite.********************************************CurrentDate","No message type",1
"     RegisterOnce",RegisterOnce,"No message type",149
"     Report posted successfully ******************************************** Current Date","Reportpostedsuccessfully********************************************CurrentDate","No message type",1
"     Restricted mode    Initializing Site",RestrictedmodeInitializingSite,"No message type",3
"     User interface process disabled for user 'user'    ActiveDirectory","Userinterfaceprocessdisabledforuser'user'ActiveDirectory","No message type",1
"     User interface process disabled for user 'user'    ActiveDirectory","Userinterfaceprocessdisabledforuser'user'ActiveDirectory","No message type",1
"     User interface session ended for user 'user'    User interface session ended for user 'user' ******************************************** Current Date","Userinterfacesessionendedforuser'user'Userinterfacesessionendedforuser'user'********************************************CurrentDate","No message type",1
"     User interface session ended for user 'user'    ActiveDirectory","Userinterfacesessionendedforuser'user'ActiveDirectory","No message type",1
"     User interface session ended for user 'user' ******************************************** Current Date","Userinterfacesessionendedforuser'user'********************************************CurrentDate","No message type",1

When I try this simple case, it works.

| makeresults
| eval string_a="Client shutdown (Service manager shutdown request) ******************************************** Current Date"
| eval string_b="Client_shutdown_(Service_manager_shutdown_request)_********************************************_Current_Date"
| eval my_string=if(string_a == string_b, string_a, string_b)

And the output

_time	my_string	string_a	string_b
2023-12-07 10:14:17	Client_shutdown_(Service_manager_shutdown_request)_********************************************_Current_Date	Client shutdown (Service manager shutdown request) ******************************************** Current Date	Client_shutdown_(Service_manager_shutdown_request)_********************************************_Current_Date

What I'm trying to do is find these

At 09:01:45 -0800 - 
   Encryption: optional encryption with no certificate; reports in cleartext

The above would have message_type=Encryption.  This example

At 09:00:39 -0800 - 
   Starting client version xx.yy.zz.aa
   FIPS mode disabled by default.
   Cryptographic module initialized successfully.
   Using crypto library libBEScrypto - OpenSSL

would have message_type="No message type".  I've tried using colon (:), but there are messages with embedded colons.  Any thoughts on how to solve this are appreciated.

TIA,

Joe

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

From your SPL, it looks like you're trying to access the first line after At as the message type

Have you tried extracting Message type with

| rex field=_raw "(?s)At \d+:\d+:\d+\s+-0800\s+-..\s+(?<message_type>\w+):"

where the .. will match the line feed (you may only need a single dot, depends on the data.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

From your SPL, it looks like you're trying to access the first line after At as the message type

Have you tried extracting Message type with

| rex field=_raw "(?s)At \d+:\d+:\d+\s+-0800\s+-..\s+(?<message_type>\w+):"

where the .. will match the line feed (you may only need a single dot, depends on the data.

 

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...