Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on rex command

jip31
Motivator
‎03-19-2021 06:29 AM

hello

 

My field sounds like this

 

03/01/2019 07:10 0 MBAM CLIENT (2.5_64b) EN.$w$

 

And I need to catch everything after 

 

03/01/2019 07:10 0

 

it means I just need :

 

03/01/2019 07:10 0 MBAM CLIENT (2.5_64b) EN.$w$

 

could you help me please??

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-24-2021 08:04 AM

Hi @jip31,

Your linebreaker problem seems because of timestamps. It assumes %m-%d-%Y but it %d-%m-%Y

Please try changing your TIME_FORMAT to Advanced and use below format;

%d-%m-%Y %H:%M

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-24-2021 08:04 AM

Hi @jip31,

Your linebreaker problem seems because of timestamps. It assumes %m-%d-%Y but it %d-%m-%Y

Please try changing your TIME_FORMAT to Advanced and use below format;

%d-%m-%Y %H:%M

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

abhijeet01
Path Finder
‎03-24-2021 06:57 AM

Hi @jip31 ,

 

Try this.

 

| rex field=_raw "
\d+\/\d+\/\d+\s\d+:\d+\s\d\s(?P<Field>[^\s*][A-Za-z0-9\s()._$]*)"

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎03-19-2021 01:10 PM

Hi @jip31,

Can you please share your _raw data using a screenshot ? There should be a difference on your data with your sample. 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-24-2021 01:53 AM

hello

 

here is

https://www.cjoint.com/c/KCyi0QPTiJb

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-24-2021 02:10 AM 
| rex "\d+\/\d+\/\d+\s+\d+:\d+\s+\d+\s+(?<field>.*)"
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-24-2021 07:12 AM

Have you tried this - it is subtly different from the other rex strings because it takes into account multiple white-space characters in all instances - these are apparent in your screenshot.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-24-2021 07:41 AM

Like I said, the first problem I have is to extract these field

You can see here the sourcetype config  https://www.cjoint.com/c/KCyoNqARbmb

After this, I try to extract the field with the field extractor  I need but it doenst works and i dont understand why

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-19-2021 06:35 AM

Hi @jip31,

to catch all after the string "03/01/2019 07:10 0 ", please, try this regex:

| rex "\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<your_field>.*)"

 that you can test at https://regex101.com/r/lxl2sg/1

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-19-2021 07:23 AM

it works fine in regex101 but not in my search

here is what i am doing :

index=toto sourcetype="flags" 
| rex field1="\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<field1>.*)" 
| table field1

is there something wrong??

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-24-2021 05:17 AM

Hi @jip31,

yes: the rex command has a different syntax:

| rex "\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<your_field>.*)"

You haven't to add "field1=" before the regex.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-24-2021 06:29 AM

hi

I think I am not speaking clearly

I need to extract the field yellow in the screenshot and to call him "software" https://www.cjoint.com/c/KCynsMbuF2b 

what I dont understand is that when I try to extract the field manually with a regex method, all the lines have disappeared except the first which begins by "Microsoft Windows..."

so I can use you regex because "your_field" doesnt exists

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-24-2021 06:38 AM

Hi @jip31,

sorry but I don't understand the problem:

did you tried my regex (the one I hinted not the one you used) replacing your_field with software?

| rex "\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<software>.*)"

If it's not running in your Splunk, what's your result?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-24-2021 07:08 AM

Giuseppe

The regex dont works because I dont succeed to extract this field properly....

When I am doing an field extraction, I cath the field, I called him "software" but at the end of the extraction, all the line have disappeared...

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-24-2021 09:03 AM

Hi @jip31,

please check if the data you share are correct, because, using your data it runs:

| makeresults 
| eval _raw="03/01/2019 07:10 0 MBAM CLIENT (2.5_64b) EN.$w"
| rex "\d+\/\d+\/\d+\s+\d+:\d+\s\d+\s+(?<software>.*)"
| table software

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-25-2021 02:47 AM

yes like this it works fine

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-19-2021 09:15 AM

You don't need field1=, rex defaults to matching against _raw.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-19-2021 09:47 AM

It doesnt works even if i dont do field1=

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...