Solved: Will you help me create a regex to extract one or ...

realsplunk · ‎09-19-2018

Hello guys,

I'm adding this to my search in order to extract fields :

| rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<DNmanquante>[^,]+)[^']+'\n(- CODE \(serial : (?P<CRLmanquante>\d+)\) error.\n-+\n)+"

Event example :

CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
- CODE (serial : 1234) error.
---------------------------------------------------------
- CODE (serial : 5676) error.
---------------------------------------------------------
- CODE (serial : 5677) error.
---------------------------------------------------------
- CODE (serial : 5678) error.
---------------------------------------------------------
- CODE (serial : 5679) error.
---------------------------------------------------------
CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'

I want to get XXX 2025:1234,XXX 2025:5678...etc like a tree with 1 or more branches.

The problem is it returns only last match : 5679

Thanks a lot.

Regex101 link : https://regex101.com/r/M96VAN/2

kamlesh_vaghela · ‎09-19-2018

@realsplunk
Can you please try following search?

YOUR_SEARCH | rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" | rex max_match=0 field=_raw "(- CODE \(serial : (?P<CODE>\d+)\) error)"

Here I have used separate rex for CN & Code.

My Sample Search:

| makeresults | eval _raw="CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
 - CODE (serial : 1234) error.
 ---------------------------------------------------------
 - CODE (serial : 5676) error.
 ---------------------------------------------------------
 - CODE (serial : 5677) error.
 ---------------------------------------------------------
 - CODE (serial : 5678) error.
 ---------------------------------------------------------
 - CODE (serial : 5679) error.
 ---------------------------------------------------------
 CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'" | rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" | rex max_match=0 field=_raw "(- CODE \(serial : (?P<CODE>\d+)\) error)"

Updated Ans:

YOUR_SEARCH | rex max_match=0 field=_raw "(?<data>.*[^\n]+)" 
| mvexpand data 
| table data 
| rex max_match=0 field=data "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" 
| rex max_match=0 field=data "(- CODE \(serial : (?P<CODE>\d+)\) error)" 
| filldown CN 
| search CODE=* | table CN CODE

My Sample Search:

| makeresults 
| eval _raw="CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  - CODE (serial : 1234) error.
  ---------------------------------------------------------
  - CODE (serial : 5676) error.
  ---------------------------------------------------------
  - CODE (serial : 5677) error.
  ---------------------------------------------------------
  - CODE (serial : 5678) error.
  ---------------------------------------------------------
  - CODE (serial : 5679) error.
  ---------------------------------------------------------
  CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
   - CODE (serial : 1234) error.
  ---------------------------------------------------------
  - CODE (serial : 5676) error.
  ---------------------------------------------------------
  - CODE (serial : 5677) error.
  ---------------------------------------------------------" 
| rex max_match=0 field=_raw "(?<data>.*[^\n]+)" 
| mvexpand data 
| table data 
| rex max_match=0 field=data "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" 
| rex max_match=0 field=data "(- CODE \(serial : (?P<CODE>\d+)\) error)" 
| filldown CN 
| search CODE=* | table CN CODE

Thanks

View solution in original post

rey123 · ‎09-11-2019

@kamlesh_vaghela , could you please guide what the regex would have been if we were to want to extract only the first occurrence of the (or ) from the results? Should 'max_match' = 1 in that case? Thanks!

kamlesh_vaghela · ‎09-19-2018

@realsplunk
Can you please try following search?

YOUR_SEARCH | rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" | rex max_match=0 field=_raw "(- CODE \(serial : (?P<CODE>\d+)\) error)"

Here I have used separate rex for CN & Code.

My Sample Search:

| makeresults | eval _raw="CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
 - CODE (serial : 1234) error.
 ---------------------------------------------------------
 - CODE (serial : 5676) error.
 ---------------------------------------------------------
 - CODE (serial : 5677) error.
 ---------------------------------------------------------
 - CODE (serial : 5678) error.
 ---------------------------------------------------------
 - CODE (serial : 5679) error.
 ---------------------------------------------------------
 CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'" | rex max_match=0 field=_raw "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" | rex max_match=0 field=_raw "(- CODE \(serial : (?P<CODE>\d+)\) error)"

Updated Ans:

YOUR_SEARCH | rex max_match=0 field=_raw "(?<data>.*[^\n]+)" 
| mvexpand data 
| table data 
| rex max_match=0 field=data "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" 
| rex max_match=0 field=data "(- CODE \(serial : (?P<CODE>\d+)\) error)" 
| filldown CN 
| search CODE=* | table CN CODE

My Sample Search:

| makeresults 
| eval _raw="CC :' 223' de DN : 'CN=XXX 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  - CODE (serial : 1234) error.
  ---------------------------------------------------------
  - CODE (serial : 5676) error.
  ---------------------------------------------------------
  - CODE (serial : 5677) error.
  ---------------------------------------------------------
  - CODE (serial : 5678) error.
  ---------------------------------------------------------
  - CODE (serial : 5679) error.
  ---------------------------------------------------------
  CC :' 224' de DN : 'CN=YYY 2025, ABCDEFGHIJKLMNOPQRSTUVWXYZ'
   - CODE (serial : 1234) error.
  ---------------------------------------------------------
  - CODE (serial : 5676) error.
  ---------------------------------------------------------
  - CODE (serial : 5677) error.
  ---------------------------------------------------------" 
| rex max_match=0 field=_raw "(?<data>.*[^\n]+)" 
| mvexpand data 
| table data 
| rex max_match=0 field=data "CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']*'" 
| rex max_match=0 field=data "(- CODE \(serial : (?P<CODE>\d+)\) error)" 
| filldown CN 
| search CODE=* | table CN CODE

Thanks

View solution in original post

realsplunk · ‎09-20-2018

Hi Kamlesh, thanks however this way I can't associate CN with CODE accordingly.

kamlesh_vaghela · ‎09-20-2018

@realsplunk

quick question.

The event you provided will come in a single event or individual event?

realsplunk · ‎09-21-2018

It's a multiline single event, thanks 🙂

realsplunk · ‎09-21-2018

Dirty solution :

CC :' \d+' de DN : 'CN=(?<CN>[^,]+)[^']+'\n- CODE \(serial : (?P<CODE>\d+)\) error.\n-+\n- CODE \(serial : (?P<CODE2>\d+)\) error.\n-+\n- CODE \(serial : (?P<CODE3>\d+)\) error.\n-+\n- CODE \(serial : (?P<CODE4>\d+)\) error.\n-+\n- CODE \(serial : (?P<CODE5>\d+)\) error.\n-+\n

kamlesh_vaghela · ‎09-21-2018

@realsplunk

See my Updated ans. 🙂
I hope I will work for you.

realsplunk · ‎09-24-2018

Congratulations, it works, good method 🙂

kamlesh_vaghela · ‎09-24-2018

Great.
Glad to help you.

Happy Splunking

inventsekar · ‎09-19-2018

Hi...your rex query got damaged, since the answer portal can not accept those..
after writing your rex query, select it and then do "control-k" (to make it as a "code")..
or , use backticks before and after your rex (like.. | rex field=_raw ..) ...

realsplunk · ‎09-19-2018

Thank you 🙂

Will you help me create a regex to extract one or more lines with same heading in a single event?

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!

Read the report >

Will you help me create a regex to extract one or more lines with same heading in a single event?

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.Find out what your skills are worth! Read the report >

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!

Read the report >