how to compare regex with string, which are two di...

annamareddi · ‎08-31-2016

i have a regex pattern in my .CSV file. Pattern1= A$B$C|K$L$M|X$Y$Z. where "$" is a variable like date and ID
each pattern is tagged to a unique number. Unique number=123 for Pattern1.
i tried to split the pattern1 in my search by pipe(|) using eval split command.
i need first(_raw) for these splitted patterns.
my output is

unique number splitted_pattern (_raw)
123 A$B$C ABC
KLM
XYZ

123 K$L$M ABC
KLM
XYZ

123 X$Y$Z ABC
KLM
XYZ
but i need a output as

unique number splitted_pattern (_raw)
123 A$B$C ABC
123 K$L$M KLM
123 X$Y$Z XYZ

jkat54 · ‎08-31-2016

Add this to your search:

|mvexpand splitted_pattern

It works for me when I generate the data like this:

| makeresults count=1 | eval csv="123,ABC|KLM|XYZ" | rex field=csv "(?<uniqnum>\d+),(?<patterns>.*)" |  eval splitted_pattern=split(patterns,"|") | mvexpand splitted_pattern

inventsekar · ‎08-31-2016

can you write us your current query please.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

how to compare regex with string, which are two different fields in my search query output.

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?