Splunk Search

regex field extraction question

remy06
Contributor

I'm trying to extract these values into a field called Data.

from sample 1:

CMD(XYZ) Val(*12A)

In props.conf

[log]
REPORT-mydata = mydata 

In transforms.conf

[mydata]
REGEX = (?i).*CMD\((?<Data>\S+)\) 

but it can only capture the values XYZ after CMD.I wana include the entire string like CMD(XYZ) Val(*12A).
How do I specify in the regex to include the entire string?

sample 1:

Sep 29 13:13:25 10.138.20.37 Sep 29 13:07:25 serverA A command (CMD) was run.|3|src=1.2.3.4 dst=0.0.0.0 msg=TYPE:JRN CLS:AUD JJOB:123 JUSER:user JNBR:123 PGM:abc OBJECT: LIBRARY: MEMBER: DETAIL:C CMD SYS CMD N SYS/CMD LIB(ABCD) DEV(*SA) SAVF(temp) OPTION(*NA) MBROPT(*ALL) OBJ(*ALL) FR(*SYSVAL) **CMD(XYZ) Val(*12A)*

Sep 29 13:13:25 10.138.20.37 Sep 29 13:07:25 serverA A command (CMD) was run.|3|src=1.2.3.4 dst=0.0.0.0 msg=TYPE:JRN CLS:AUD JJOB:123 JUSER:user JNBR:123 PGM:abc OBJECT: LIBRARY: MEMBER: DETAIL:C CMD SYS CMD N SYS/CMD LIB(ABCD) DEV(*SA) SAVF(temp) OPTION(*NA) MBROPT(*ALL) OBJ(*ALL) JJJ(*NA) **CMD(XYZ) Val(*12A)*

Tags (2)
0 Karma
1 Solution

Drainy
Champion

you could use;

(\w+\([^)]+\))

to capture each one separately and then just assign them the same field extraction name so you can associate them with your events correctly.
I have made some assumptions however that there isn't another set of characters arranged like that in the events.

Feel free to comment if this is off the mark 🙂

Have a look at the following links for details on configuring these via the config files

http://docs.splunk.com/Documentation/Splunk/4.2.3/admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/4.2.3/admin/Propsconf

Transforms.conf
[data_regex]
REGEX = (\w+\([^)]+\))
FORMAT = data::$1

Props.conf
REPORT-data_regex = data_regex

The transforms lines say to name group 1 ($1) as data (or whatever you specify).
You could also do;

Transforms.conf
[data_regex]
REGEX = (?<data>\w+\([^)]+\))

EDIT:
Assuming you answer yes to my comment on your question then;

(CMD\([^)]+\) [^)]+\))

View solution in original post

Drainy
Champion

does it always end with the data you want to collect? as in they are always at the end of the event?

0 Karma

Drainy
Champion

you could use;

(\w+\([^)]+\))

to capture each one separately and then just assign them the same field extraction name so you can associate them with your events correctly.
I have made some assumptions however that there isn't another set of characters arranged like that in the events.

Feel free to comment if this is off the mark 🙂

Have a look at the following links for details on configuring these via the config files

http://docs.splunk.com/Documentation/Splunk/4.2.3/admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/4.2.3/admin/Propsconf

Transforms.conf
[data_regex]
REGEX = (\w+\([^)]+\))
FORMAT = data::$1

Props.conf
REPORT-data_regex = data_regex

The transforms lines say to name group 1 ($1) as data (or whatever you specify).
You could also do;

Transforms.conf
[data_regex]
REGEX = (?<data>\w+\([^)]+\))

EDIT:
Assuming you answer yes to my comment on your question then;

(CMD\([^)]+\) [^)]+\))

Drainy
Champion

no prob 🙂

0 Karma

remy06
Contributor

it works..thanks 🙂

0 Karma

remy06
Contributor

thanks!gona test it soon

0 Karma

Drainy
Champion

way ahead of you, check out my comment on the question and my edit 🙂

0 Karma

remy06
Contributor

thanks..I've also updated the example event hopefully its much clearer

0 Karma

Drainy
Champion

your added examples have 3 characters followed by whitespace and then more characters. my example will look for characters followed directly by an open bracket.
Is there some defined example that this data always follows you could also use to regex on?

0 Karma

Drainy
Champion

@remy06 you can use the same thing, I'll update my answer with two examples

0 Karma

remy06
Contributor

there are set of characters in other parts of the event. I've updated the sample.Usually if I specify in transforms.conf the "" becomes the extracted field name. In your example how do I specify the field name?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...