Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- To remove few details using rex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To remove few details using rex
Hi Team,
I have three below conditions to create a logic according to it.
Case 1: operation="OVERRIDE" should print but not a name="IP BLOCK TYPE",value="Private"
Sample log for IP BLOCK TYPE:
[name="IP BLOCK TYPE",value="Private",operation="OVERRIDE"]
Case 2: operation="OVERRIDE" is not present in the logs at all
Sample log for IP BLOCK TYPE:
[name="IP BLOCK TYPE",value="Public"]
So for above two conditions I had used below query to fetched the desired data>>
rex field=_raw "operation=\"(?<IP_Block_Type>.\w+)\"" | where isnotnull(IP_Block_Type)
Case 3:
Sample log for IP BLOCK TYPE:
[name="IP BLOCK TYPE",value="Public",descendants_action={option_with_ea:"INHERIT",option_without_ea:"NOT_INHERIT"},operation="OVERRIDE"]
Case numbers 1 and 2 queries look good because those logs don't contain details like case 3 (e.g. descendants_action={option_with_ea:"INHERIT",option_without_ea:"NOT_INHERIT"}). I tried the same filter but got to know that query is taking data from 3rd case also which is not required. So basically I don't want to print anything from case number 3. Please help to get the answers for this.
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa I just want to get case number 1, not 3. 3rd case has many other details including operation="OVERRIDE" so don't want this case to be check while using
rex field=_raw "operation=\"(?<IP_Block_Type>.\w+)\"" | where isnotnull(IP_Block_Type)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=_internal | head 1 | fields _raw | eval _raw="[name=\"IP BLOCK TYPE\",value=\"Public\",descendants_action={option_with_ea:\"INHERIT\",option_without_ea:\"NOT_INHERIT\"},operation=\"OVERRIDE\"] "
| kvREX is not need, I guess.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa Nope.. it is not working
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
