Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Will you help me create a regex to extract one or more lines with same heading in a single event?

splunkreal
Motivator
‎09-19-2018 08:04 AM

Hello guys,

I'm adding this to my search in order to extract fields :

| rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<DNmanquante>[^,]+)[^']+'\n(- CODE \(serial : (?P<CRLmanquante>\d+)\) error.\n-+\n)+"

Event example :

CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
- CODE (serial : 1234) error.
---------------------------------------------------------
- CODE (serial : 5676) error.
---------------------------------------------------------
- CODE (serial : 5677) error.
---------------------------------------------------------
- CODE (serial : 5678) error.
---------------------------------------------------------
- CODE (serial : 5679) error.
---------------------------------------------------------
CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'

I want to get XXX 2025:1234,XXX 2025:5678...etc like a tree with 1 or more branches.

The problem is it returns only last match : 5679

Thanks a lot.

Regex101 link : https://regex101.com/r/M96VAN/2

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-19-2018 09:43 AM

@realsplunk
Can you please try following search?

YOUR_SEARCH | rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" | rex max_match=0 field=_raw "(- CODE \(serial : (?P<CODE>\d+)\) error)"

Here I have used separate rex for CN & Code.

My Sample Search:

| makeresults | eval _raw="CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
 - CODE (serial : 1234) error.
 ---------------------------------------------------------
 - CODE (serial : 5676) error.
 ---------------------------------------------------------
 - CODE (serial : 5677) error.
 ---------------------------------------------------------
 - CODE (serial : 5678) error.
 ---------------------------------------------------------
 - CODE (serial : 5679) error.
 ---------------------------------------------------------
 CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'" | rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" | rex max_match=0 field=_raw "(- CODE \(serial : (?P<CODE>\d+)\) error)"

Updated Ans:

YOUR_SEARCH | rex max_match=0 field=_raw "(?<data>.*[^\n]+)" 
| mvexpand data 
| table data 
| rex max_match=0 field=data "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" 
| rex max_match=0 field=data "(- CODE \(serial : (?P<CODE>\d+)\) error)" 
| filldown CN 
| search CODE=* | table CN CODE

My Sample Search:

| makeresults 
| eval _raw="CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  - CODE (serial : 1234) error.
  ---------------------------------------------------------
  - CODE (serial : 5676) error.
  ---------------------------------------------------------
  - CODE (serial : 5677) error.
  ---------------------------------------------------------
  - CODE (serial : 5678) error.
  ---------------------------------------------------------
  - CODE (serial : 5679) error.
  ---------------------------------------------------------
  CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
   - CODE (serial : 1234) error.
  ---------------------------------------------------------
  - CODE (serial : 5676) error.
  ---------------------------------------------------------
  - CODE (serial : 5677) error.
  ---------------------------------------------------------" 
| rex max_match=0 field=_raw "(?<data>.*[^\n]+)" 
| mvexpand data 
| table data 
| rex max_match=0 field=data "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" 
| rex max_match=0 field=data "(- CODE \(serial : (?P<CODE>\d+)\) error)" 
| filldown CN 
| search CODE=* | table CN CODE

Thanks

View solution in original post

Reply
Solved! Jump to solution

rey123
Path Finder
‎09-11-2019 01:21 AM

@kamlesh_vaghela , could you please guide what the regex would have been if we were to want to extract only the first occurrence of the (or ) from the results? Should 'max_match' = 1 in that case? Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-19-2018 09:43 AM

@realsplunk
Can you please try following search?

YOUR_SEARCH | rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" | rex max_match=0 field=_raw "(- CODE \(serial : (?P<CODE>\d+)\) error)"

Here I have used separate rex for CN & Code.

My Sample Search:

| makeresults | eval _raw="CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
 - CODE (serial : 1234) error.
 ---------------------------------------------------------
 - CODE (serial : 5676) error.
 ---------------------------------------------------------
 - CODE (serial : 5677) error.
 ---------------------------------------------------------
 - CODE (serial : 5678) error.
 ---------------------------------------------------------
 - CODE (serial : 5679) error.
 ---------------------------------------------------------
 CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'" | rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" | rex max_match=0 field=_raw "(- CODE \(serial : (?P<CODE>\d+)\) error)"

Updated Ans:

YOUR_SEARCH | rex max_match=0 field=_raw "(?<data>.*[^\n]+)" 
| mvexpand data 
| table data 
| rex max_match=0 field=data "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" 
| rex max_match=0 field=data "(- CODE \(serial : (?P<CODE>\d+)\) error)" 
| filldown CN 
| search CODE=* | table CN CODE

My Sample Search:

| makeresults 
| eval _raw="CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  - CODE (serial : 1234) error.
  ---------------------------------------------------------
  - CODE (serial : 5676) error.
  ---------------------------------------------------------
  - CODE (serial : 5677) error.
  ---------------------------------------------------------
  - CODE (serial : 5678) error.
  ---------------------------------------------------------
  - CODE (serial : 5679) error.
  ---------------------------------------------------------
  CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
   - CODE (serial : 1234) error.
  ---------------------------------------------------------
  - CODE (serial : 5676) error.
  ---------------------------------------------------------
  - CODE (serial : 5677) error.
  ---------------------------------------------------------" 
| rex max_match=0 field=_raw "(?<data>.*[^\n]+)" 
| mvexpand data 
| table data 
| rex max_match=0 field=data "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" 
| rex max_match=0 field=data "(- CODE \(serial : (?P<CODE>\d+)\) error)" 
| filldown CN 
| search CODE=* | table CN CODE

Thanks

Reply
Solved! Jump to solution

splunkreal
Motivator
‎09-20-2018 02:43 AM

Hi Kamlesh, thanks however this way I can't associate CN with CODE accordingly.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-20-2018 09:23 PM

@realsplunk

quick question.

The event you provided will come in a single event or individual event?

0 Karma
Reply
Solved! Jump to solution

splunkreal
Motivator
‎09-21-2018 12:04 AM

It's a multiline single event, thanks 🙂

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution

splunkreal
Motivator
‎09-21-2018 06:27 AM

Dirty solution :

CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']+'\n- CODE \(serial : (?P<CODE>\d+)\) error.\n-+\n- CODE \(serial : (?P<CODE2>\d+)\) error.\n-+\n- CODE \(serial : (?P<CODE3>\d+)\) error.\n-+\n- CODE \(serial : (?P<CODE4>\d+)\) error.\n-+\n- CODE \(serial : (?P<CODE5>\d+)\) error.\n-+\n
* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-21-2018 09:32 AM

@realsplunk

See my Updated ans. 🙂
I hope I will work for you.

0 Karma
Reply
Solved! Jump to solution

splunkreal
Motivator
‎09-24-2018 03:12 AM

Congratulations, it works, good method 🙂

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-24-2018 03:18 AM

Great.
Glad to help you.

Happy Splunking

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎09-19-2018 08:38 AM

Hi...your rex query got damaged, since the answer portal can not accept those..
after writing your rex query, select it and then do "control-k" (to make it as a "code")..
or , use backticks before and after your rex (like.. | rex field=_raw ..) ...

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

splunkreal
Motivator
‎09-19-2018 08:55 AM

Thank you 🙂

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...