Splunk Search

rex command to extract

itishree
Explorer

i have one host with multiple sourcetype , i want to extract some field but  that field also have some different so for all events i have to write different different rex command , is there any way to write rex command for all events

 

like this

Win_7_cuckoo.vmx

packer-centos6.vmx

test-vm-auto2.vmx

win-10-test1.vmx

 so from here except .vmx 

can any one  help for this ?

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @itishree,

try this regex

| rex "\/[^\/]*\/[^\/]*\/[^\/]*\/(?<VMX>[^\.]*)\.vmx"

that you can test at https://regex101.com/r/WUUCpw/2

Ciao.

Giuseppe

View solution in original post

0 Karma

itishree
Explorer

same one

0 Karma

itishree
Explorer

In result i am getting like this 

 

datastore1/packer-win12/packer-win12 
datastore1/packer_centos6/packer_centos6 
datastore1/packer_centos7/packer_centos7 
datastore1/packer_ubuntu18/packer_ubuntu18

 

i want  like this only name of that

packer_ubuntu18

packer_centos7

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @itishree,

these logs aredifferent than the previous, can we use two regexes (one for the previous and one for these) or do you want only one regex?

in both cases, can you share a sample of all the possible logs to take with the regex?

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @itishree,

sorry but I don't understand your question:

  • do you want to find a way to apply a field extraction (with one common regex) to all sourcetypes?
  • do you want to apply a different regex to each sourcetypes?

If the first you could try to associate the field extraction to an host  or a source instead to a sourcetype, I don't like but it's possible.

If the second, it's not possible: you have to use the correct regex for each sourcetype.

The best approach could be that you share two or three samples of your data indicating what you want to extract.

Ciao.

Giuseppe

0 Karma

itishree
Explorer

yes , i  want to find a way to apply a field extraction (with one common regex) to all sourcetypes

is it possible?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @itishree,

no it isn't possible, you have to copy the field extraction for all sourcetypes.

I understand that it isn't easy to manage, but it permits to maintain more control on your data.

There'a also the choice to associate the field extraction to host and/or source if could be useful for you, in this way it's common to all the sourcetypes associated to that host or source.

Ciao.

Giuseppe

itishree
Explorer

index="" ".vmx" host="" | rex field=_raw (?P<VM>\w+\/\w+\w+.vmx)(?!vmx) | rex field=_raw (?P<VM>\w+-\w+\/\w+\-\w+.vmx)(?!vmx) | rex field=_raw (?<VM>\w+\-\w+\-\w+\/\w+\-\w+\-\w+.vmx)| stats count by VM 

 

result is like this:

 
Caldera/Caldera.vmx 
Cuckoo_SNDBX/Cuckoo_SNDBX.vmx 
Win_7_cuckoo/Win_7_cuckoo.vmx 
kali/kali.vmx 
kali2019/kali2019.vmx

 

 but i want  :

 
Caldera

Cuckoo_SNDBX

Win_7_cuckoo

kali2019

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @itishree,

using your sample (if you could share a real log it could be more affidable!), I see that you could use this regex

| "\/(?<VMX>[^\.]*)\.vmx"

that you can test at https://regex101.com/r/WUUCpw/1

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @itishree,

try this regex

| rex "\/[^\/]*\/[^\/]*\/[^\/]*\/(?<VMX>[^\.]*)\.vmx"

that you can test at https://regex101.com/r/WUUCpw/2

Ciao.

Giuseppe

0 Karma

itishree
Explorer

 

 i want like

win2016-test1

Win_7_cuckoo

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @itishree,

is this a different question or the same?

if a different one, please open a new one, that's useful for all the other people of Community so me and the other people can help you.

If it's the same, please, as the previous, share a sample of your logs.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

itishree
Explorer

same one only... i am getting this result 

 

from this i want like  only name of vm

packer-centos6

packer-win12

packer_ubuntu18

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @itishree,

As you can see, I sent to you two regexes with the old logs you shared, two versions because you sent two different versions of logs (before results you'gettin' in, then sample logs).

So, could you share a sample of all the kind of logs?

Anyway, the regex to extract from the results you shared is

 

| rex "\w*\/[^\/]*\/(?<my_field>\S*)\s*$"

 

that you can test at https://regex101.com/r/m9VYnT/1, but probably isn't correct.

Ciao.

Giuseppe

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...