Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

To remove few details using rex

sgulhane5
Explorer
‎10-20-2020 04:11 PM

Hi Team,

I have three below conditions to create a logic according to it.

Case 1: operation="OVERRIDE" should print but not a name="IP BLOCK TYPE",value="Private"

Sample log for IP BLOCK TYPE: 

[name="IP BLOCK TYPE",value="Private",operation="OVERRIDE"] 

Case 2: operation="OVERRIDE" is not present in the logs at all

Sample log for IP BLOCK TYPE: 

[name="IP BLOCK TYPE",value="Public"] 

So for above two conditions I had used  below query to fetched the desired data>>

rex field=_raw "operation=\"(?<IP_Block_Type>.\w+)\"" | where isnotnull(IP_Block_Type)

 

Case 3: 

Sample log for IP BLOCK TYPE: 

[name="IP BLOCK TYPE",value="Public",descendants_action={option_with_ea:"INHERIT",option_without_ea:"NOT_INHERIT"},operation="OVERRIDE"] 

Case numbers 1 and 2 queries look good because those logs don't contain details like case 3 (e.g. descendants_action={option_with_ea:"INHERIT",option_without_ea:"NOT_INHERIT"}).  I tried the same filter but got to know that query is taking data from 3rd case also which is not required. So basically I don't want to print anything from case number 3. Please help to get the answers for this.

@gcusello 

@Nisha18789  

@ITWhisperer 

Thanks,

Labels (1)
Labels
Tags (1)
0 Karma
Reply

sgulhane5
Explorer
‎10-21-2020 05:57 AM

@to4kawa I just want to get case number 1, not 3. 3rd case has many other details including operation="OVERRIDE" so don't want this case to be check while using 

rex field=_raw "operation=\"(?<IP_Block_Type>.\w+)\"" | where isnotnull(IP_Block_Type)

 
0 Karma
Reply

to4kawa
Ultra Champion
‎10-20-2020 05:08 PM 
index=_internal | head 1 | fields _raw | eval _raw="[name=\"IP BLOCK TYPE\",value=\"Public\",descendants_action={option_with_ea:\"INHERIT\",option_without_ea:\"NOT_INHERIT\"},operation=\"OVERRIDE\"] "
| kv

REX is not need, I guess.

0 Karma
Reply

sgulhane5
Explorer
‎10-21-2020 05:44 AM

@to4kawa Nope.. it is not working

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...