Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

regex for event type.

brettcave
Builder
‎11-20-2012 12:06 AM

Hi, is it not possible to use a regex to determine an event type. I would like to usee something like: 

\d{4}-\d{1,2}-\d{1,2}T\d{2}:\d{2}:\d{2}.\d{3}. \| [A-Z]+ \|

to classify events.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-20-2012 12:13 AM

You can create an event type based on a search. In that search, use the regex command to match against your expression.

View solution in original post

Reply
Solved! Jump to solution

brettcave
Builder
‎11-20-2012 12:22 AM

How do you use a regex command?

| regex _raw="(my regex)"

Message: Eventtype search string cannot be a search pipeline or contain a subsearch

Doesn't work.

0 Karma
Reply
Solved! Jump to solution

brettcave
Builder
‎11-20-2012 10:55 PM

Both events are a sort of log4j / syslog custom brew, but with slightly different syntaxes, so the most effective way of categorizing them would be by rex.

martin_mueller's suggestion of creating a field extractor based on the rex is a great suggestion, and would work well for this situation.

0 Karma
Reply
Solved! Jump to solution

brettcave
Builder
‎11-20-2012 10:54 PM

well I can't use any pipe command with event types, so it wouldn't work with | rex ... either. I have events that are generated from 2 sources, and want to use the format of the sources as event type identifiers, so for example, source 1 formats as follows:

2012-11-21T06:50:19.721Z | INFO | some message

and source 2 formats as follows:

Nov 20 23:26:43 localhost Nov 20 23:26:43 ip-10-0-3-148 INFO | com.my.logger | thread
0 Karma
Reply
Solved! Jump to solution

Rob
Splunk Employee
Splunk Employee
‎11-20-2012 11:05 AM

It might be more informative if you can show us a more complete example. Such as the search with the entire regex.

The 'regex' command in splunk is used to filter events. If you want to extract fields, use the 'rex' command.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-20-2012 12:13 AM

You can create an event type based on a search. In that search, use the regex command to match against your expression.

Reply
Solved! Jump to solution

brettcave
Builder
‎11-20-2012 10:55 PM

that is a great suggestion, and will work well. Thanks martin.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-20-2012 01:13 AM

Bummer on the pipes. You can still use the regular expression, just go the long way by defining a field on that match, and create an eventtype based on that_field=*.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...