Splunk Search

help on rex command

jip31
Motivator

hello

 

My field sounds like this

 

03/01/2019 07:10 0 MBAM CLIENT (2.5_64b) EN.$w$

 

And I need to catch everything after 

 

03/01/2019 07:10 0 

 

it means I just need :

 

03/01/2019 07:10 0 MBAM CLIENT (2.5_64b) EN.$w$

 

could you help me please??

Labels (1)
Tags (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @jip31,

Your linebreaker problem seems because of timestamps. It assumes %m-%d-%Y but it %d-%m-%Y

Please try changing your TIME_FORMAT to Advanced and use below format;

%d-%m-%Y %H:%M

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @jip31,

Your linebreaker problem seems because of timestamps. It assumes %m-%d-%Y but it %d-%m-%Y

Please try changing your TIME_FORMAT to Advanced and use below format;

%d-%m-%Y %H:%M

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

abhijeet01
Path Finder

Hi @jip31 ,

 

Try this.

 

| rex field=_raw "
\d+\/\d+\/\d+\s\d+:\d+\s\d\s(?P<Field>[^\s*][A-Za-z0-9\s()._$]*)
"

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @jip31,

Can you please share your _raw data using a screenshot ? There should be a difference on your data with your sample. 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

jip31
Motivator
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "\d+\/\d+\/\d+\s+\d+:\d+\s+\d+\s+(?<field>.*)"
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried this - it is subtly different from the other rex strings because it takes into account multiple white-space characters in all instances - these are apparent in your screenshot.

0 Karma

jip31
Motivator

Like I said, the first problem I have is to extract these field

You can see here the sourcetype config  https://www.cjoint.com/c/KCyoNqARbmb

After this, I try to extract the field with the field extractor  I need but it doenst works and i dont understand why

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jip31,

to catch all after the string "03/01/2019 07:10 0 ", please, try this regex:

| rex "\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<your_field>.*)"

 that you can test at https://regex101.com/r/lxl2sg/1

Ciao.

Giuseppe

0 Karma

jip31
Motivator

it works fine in regex101 but not in my search

here is what i am doing :

index=toto sourcetype="flags" 
| rex field1="\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<field1>.*)" 
| table field1

is there something wrong??

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jip31,

yes: the rex command has a different syntax:

| rex "\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<your_field>.*)"

You haven't to add "field1=" before the regex.

Ciao.

Giuseppe

0 Karma

jip31
Motivator

hi

I think I am not speaking clearly

I need to extract the field yellow in the screenshot and to call him "software" https://www.cjoint.com/c/KCynsMbuF2b 

what I dont understand is that when I try to extract the field manually with a regex method, all the lines have disappeared except the first which begins by "Microsoft Windows..."

so I can use you regex because "your_field" doesnt exists

 

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jip31,

sorry but I don't understand the problem:

did you tried my regex (the one I hinted not the one you used) replacing your_field with software?

| rex "\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<software>.*)"

If it's not running in your Splunk, what's your result?

Ciao.

Giuseppe

0 Karma

jip31
Motivator

Giuseppe

The regex dont works because I dont succeed to extract this field properly....

When I am doing an field extraction, I cath the field, I called him "software" but at the end of the extraction, all the line have disappeared...

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jip31,

please check if the data you share are correct, because, using your data it runs:

| makeresults 
| eval _raw="03/01/2019 07:10 0 MBAM CLIENT (2.5_64b) EN.$w"
| rex "\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<software>.*)"
| table software

Ciao.

Giuseppe

0 Karma

jip31
Motivator

yes like this it works fine

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You don't need field1=, rex defaults to matching against _raw.

0 Karma

jip31
Motivator

It doesnt works even if i dont do field1=

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...