Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Will you help me create a regex to extract one or more lines with same heading in a single event?

splunkreal
Motivator
‎09-19-2018 08:04 AM

Hello guys,

I'm adding this to my search in order to extract fields :

| rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<DNmanquante>[^,]+)[^']+'\n(- CODE \(serial : (?P<CRLmanquante>\d+)\) error.\n-+\n)+"

Event example :

CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
- CODE (serial : 1234) error.
---------------------------------------------------------
- CODE (serial : 5676) error.
---------------------------------------------------------
- CODE (serial : 5677) error.
---------------------------------------------------------
- CODE (serial : 5678) error.
---------------------------------------------------------
- CODE (serial : 5679) error.
---------------------------------------------------------
CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'

I want to get XXX 2025:1234,XXX 2025:5678...etc like a tree with 1 or more branches.

The problem is it returns only last match : 5679

Thanks a lot.

Regex101 link : https://regex101.com/r/M96VAN/2

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-19-2018 09:43 AM

@realsplunk
Can you please try following search?

YOUR_SEARCH | rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" | rex max_match=0 field=_raw "(- CODE \(serial : (?P<CODE>\d+)\) error)"

Here I have used separate rex for CN & Code.

My Sample Search:

| makeresults | eval _raw="CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
 - CODE (serial : 1234) error.
 ---------------------------------------------------------
 - CODE (serial : 5676) error.
 ---------------------------------------------------------
 - CODE (serial : 5677) error.
 ---------------------------------------------------------
 - CODE (serial : 5678) error.
 ---------------------------------------------------------
 - CODE (serial : 5679) error.
 ---------------------------------------------------------
 CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'" | rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" | rex max_match=0 field=_raw "(- CODE \(serial : (?P<CODE>\d+)\) error)"

Updated Ans:

YOUR_SEARCH | rex max_match=0 field=_raw "(?<data>.*[^\n]+)" 
| mvexpand data 
| table data 
| rex max_match=0 field=data "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" 
| rex max_match=0 field=data "(- CODE \(serial : (?P<CODE>\d+)\) error)" 
| filldown CN 
| search CODE=* | table CN CODE

My Sample Search:

| makeresults 
| eval _raw="CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  - CODE (serial : 1234) error.
  ---------------------------------------------------------
  - CODE (serial : 5676) error.
  ---------------------------------------------------------
  - CODE (serial : 5677) error.
  ---------------------------------------------------------
  - CODE (serial : 5678) error.
  ---------------------------------------------------------
  - CODE (serial : 5679) error.
  ---------------------------------------------------------
  CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
   - CODE (serial : 1234) error.
  ---------------------------------------------------------
  - CODE (serial : 5676) error.
  ---------------------------------------------------------
  - CODE (serial : 5677) error.
  ---------------------------------------------------------" 
| rex max_match=0 field=_raw "(?<data>.*[^\n]+)" 
| mvexpand data 
| table data 
| rex max_match=0 field=data "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" 
| rex max_match=0 field=data "(- CODE \(serial : (?P<CODE>\d+)\) error)" 
| filldown CN 
| search CODE=* | table CN CODE

Thanks

View solution in original post

Reply
Solved! Jump to solution

rey123
Path Finder
‎09-11-2019 01:21 AM

@kamlesh_vaghela , could you please guide what the regex would have been if we were to want to extract only the first occurrence of the (or ) from the results? Should 'max_match' = 1 in that case? Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-19-2018 09:43 AM

@realsplunk
Can you please try following search?

YOUR_SEARCH | rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" | rex max_match=0 field=_raw "(- CODE \(serial : (?P<CODE>\d+)\) error)"

Here I have used separate rex for CN & Code.

My Sample Search:

| makeresults | eval _raw="CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
 - CODE (serial : 1234) error.
 ---------------------------------------------------------
 - CODE (serial : 5676) error.
 ---------------------------------------------------------
 - CODE (serial : 5677) error.
 ---------------------------------------------------------
 - CODE (serial : 5678) error.
 ---------------------------------------------------------
 - CODE (serial : 5679) error.
 ---------------------------------------------------------
 CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'" | rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" | rex max_match=0 field=_raw "(- CODE \(serial : (?P<CODE>\d+)\) error)"

Updated Ans:

YOUR_SEARCH | rex max_match=0 field=_raw "(?<data>.*[^\n]+)" 
| mvexpand data 
| table data 
| rex max_match=0 field=data "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" 
| rex max_match=0 field=data "(- CODE \(serial : (?P<CODE>\d+)\) error)" 
| filldown CN 
| search CODE=* | table CN CODE

My Sample Search:

| makeresults 
| eval _raw="CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  - CODE (serial : 1234) error.
  ---------------------------------------------------------
  - CODE (serial : 5676) error.
  ---------------------------------------------------------
  - CODE (serial : 5677) error.
  ---------------------------------------------------------
  - CODE (serial : 5678) error.
  ---------------------------------------------------------
  - CODE (serial : 5679) error.
  ---------------------------------------------------------
  CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
   - CODE (serial : 1234) error.
  ---------------------------------------------------------
  - CODE (serial : 5676) error.
  ---------------------------------------------------------
  - CODE (serial : 5677) error.
  ---------------------------------------------------------" 
| rex max_match=0 field=_raw "(?<data>.*[^\n]+)" 
| mvexpand data 
| table data 
| rex max_match=0 field=data "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" 
| rex max_match=0 field=data "(- CODE \(serial : (?P<CODE>\d+)\) error)" 
| filldown CN 
| search CODE=* | table CN CODE

Thanks

Reply
Solved! Jump to solution

splunkreal
Motivator
‎09-20-2018 02:43 AM

Hi Kamlesh, thanks however this way I can't associate CN with CODE accordingly.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-20-2018 09:23 PM

@realsplunk

quick question.

The event you provided will come in a single event or individual event?

0 Karma
Reply
Solved! Jump to solution

splunkreal
Motivator
‎09-21-2018 12:04 AM

It's a multiline single event, thanks 🙂

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution

splunkreal
Motivator
‎09-21-2018 06:27 AM

Dirty solution :

CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']+'\n- CODE \(serial : (?P<CODE>\d+)\) error.\n-+\n- CODE \(serial : (?P<CODE2>\d+)\) error.\n-+\n- CODE \(serial : (?P<CODE3>\d+)\) error.\n-+\n- CODE \(serial : (?P<CODE4>\d+)\) error.\n-+\n- CODE \(serial : (?P<CODE5>\d+)\) error.\n-+\n
* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-21-2018 09:32 AM

@realsplunk

See my Updated ans. 🙂
I hope I will work for you.

0 Karma
Reply
Solved! Jump to solution

splunkreal
Motivator
‎09-24-2018 03:12 AM

Congratulations, it works, good method 🙂

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-24-2018 03:18 AM

Great.
Glad to help you.

Happy Splunking

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎09-19-2018 08:38 AM

Hi...your rex query got damaged, since the answer portal can not accept those..
after writing your rex query, select it and then do "control-k" (to make it as a "code")..
or , use backticks before and after your rex (like.. | rex field=_raw ..) ...

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

splunkreal
Motivator
‎09-19-2018 08:55 AM

Thank you 🙂

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...