Splunk Search

Using OR with rex commands or combining search results

RVDowning
Contributor

I need to perform a search that extracts user ids from unformatted log lines where the user id would be extracted by one of the following rex commands.

Conceptually it would be something like:

sourcetype="LogsPRD" 22CD91CF-C32F-43E0-A8A6-A09F00D0B9F4  
| rex field=_raw "Users\\\(?<xxx>\w*)" 
OR rex field=_raw ": FEDERATED\\\(?<xxx>\w*)" 
OR rex field=_raw "user FEDERATED\\\(?<xxx>\w*)" 
| eval xxx=upper(xxx) | stats values(xxx)

So, it is essentially three searches with the results to be combined. Does this make any sense?

tfletcher_splun
Splunk Employee
Splunk Employee

The best thing to do would probably be to use props and transforms. If you define each of these rex commands as a REPORT transform you can then specify multiple in your props.conf and the first successful extraction will be used. See that here:

[http://docs.splunk.com/Documentation/Splunk/4.3.3/Knowledge/Createandmaintainsearch-timefieldextract...]

In the shortterm you can make the regex more complicated to use it in one.

1

0 Karma

tfletcher_splun
Splunk Employee
Splunk Employee

argh link isn't taking you to the section of the page, just scroll there, it's the first example, Configuring a field extraction that utilizes multiple field transforms

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!