Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

regex field extraction question

remy06
Contributor
‎09-30-2011 01:20 AM

I'm trying to extract these values into a field called Data.

from sample 1:

CMD(XYZ) Val(*12A)

In props.conf

[log]
REPORT-mydata = mydata

In transforms.conf 

[mydata]
REGEX = (?i).*CMD\((?<Data>\S+)\)

but it can only capture the values XYZ after CMD.I wana include the entire string like CMD(XYZ) Val(*12A).
How do I specify in the regex to include the entire string?

sample 1:

Sep 29 13:13:25 10.138.20.37 Sep 29 13:07:25 serverA A command (CMD) was run.|3|src=1.2.3.4 dst=0.0.0.0 msg=TYPE:JRN CLS:AUD JJOB:123 JUSER:user JNBR:123 PGM:abc OBJECT: LIBRARY: MEMBER: DETAIL:C CMD SYS CMD N SYS/CMD LIB(ABCD) DEV(*SA) SAVF(temp) OPTION(*NA) MBROPT(*ALL) OBJ(*ALL) FR(*SYSVAL) **CMD(XYZ) Val(*12A)*

Sep 29 13:13:25 10.138.20.37 Sep 29 13:07:25 serverA A command (CMD) was run.|3|src=1.2.3.4 dst=0.0.0.0 msg=TYPE:JRN CLS:AUD JJOB:123 JUSER:user JNBR:123 PGM:abc OBJECT: LIBRARY: MEMBER: DETAIL:C CMD SYS CMD N SYS/CMD LIB(ABCD) DEV(*SA) SAVF(temp) OPTION(*NA) MBROPT(*ALL) OBJ(*ALL) JJJ(*NA) **CMD(XYZ) Val(*12A)*

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Drainy
Champion
‎09-30-2011 01:33 AM

you could use;

(\w+\([^)]+\))

to capture each one separately and then just assign them the same field extraction name so you can associate them with your events correctly.
I have made some assumptions however that there isn't another set of characters arranged like that in the events.

Feel free to comment if this is off the mark 🙂

Have a look at the following links for details on configuring these via the config files

http://docs.splunk.com/Documentation/Splunk/4.2.3/admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/4.2.3/admin/Propsconf

Transforms.conf
[data_regex]
REGEX = (\w+\([^)]+\))
FORMAT = data::$1

Props.conf
REPORT-data_regex = data_regex

The transforms lines say to name group 1 ($1) as data (or whatever you specify).
You could also do;

Transforms.conf
[data_regex]
REGEX = (?<data>\w+\([^)]+\))

EDIT:
Assuming you answer yes to my comment on your question then;

(CMD\([^)]+\) [^)]+\))

View solution in original post

Reply
Solved! Jump to solution

Drainy
Champion
‎09-30-2011 02:40 AM

does it always end with the data you want to collect? as in they are always at the end of the event?

0 Karma
Reply
Solved! Jump to solution
Solution

Drainy
Champion
‎09-30-2011 01:33 AM

you could use;

(\w+\([^)]+\))

to capture each one separately and then just assign them the same field extraction name so you can associate them with your events correctly.
I have made some assumptions however that there isn't another set of characters arranged like that in the events.

Feel free to comment if this is off the mark 🙂

Have a look at the following links for details on configuring these via the config files

http://docs.splunk.com/Documentation/Splunk/4.2.3/admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/4.2.3/admin/Propsconf

Transforms.conf
[data_regex]
REGEX = (\w+\([^)]+\))
FORMAT = data::$1

Props.conf
REPORT-data_regex = data_regex

The transforms lines say to name group 1 ($1) as data (or whatever you specify).
You could also do;

Transforms.conf
[data_regex]
REGEX = (?<data>\w+\([^)]+\))

EDIT:
Assuming you answer yes to my comment on your question then;

(CMD\([^)]+\) [^)]+\))
Reply
Solved! Jump to solution

Drainy
Champion
‎09-30-2011 03:25 AM

no prob 🙂

0 Karma
Reply
Solved! Jump to solution

remy06
Contributor
‎09-30-2011 03:25 AM

it works..thanks 🙂

0 Karma
Reply
Solved! Jump to solution

remy06
Contributor
‎09-30-2011 02:44 AM

thanks!gona test it soon

0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎09-30-2011 02:42 AM

way ahead of you, check out my comment on the question and my edit 🙂

0 Karma
Reply
Solved! Jump to solution

remy06
Contributor
‎09-30-2011 02:41 AM

thanks..I've also updated the example event hopefully its much clearer

0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎09-30-2011 01:59 AM

your added examples have 3 characters followed by whitespace and then more characters. my example will look for characters followed directly by an open bracket.
Is there some defined example that this data always follows you could also use to regex on?

0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎09-30-2011 01:54 AM

@remy06 you can use the same thing, I'll update my answer with two examples

0 Karma
Reply
Solved! Jump to solution

remy06
Contributor
‎09-30-2011 01:51 AM

there are set of characters in other parts of the event. I've updated the sample.Usually if I specify in transforms.conf the "" becomes the extracted field name. In your example how do I specify the field name?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...