Splunk Search

rex expression that match pathname of variable lenght

Federica_92
Communicator

Hi all,
quick question:
How I can match with rex or regex a regular expression that match all of this field?

[/home/nheffernan/Waratek/apache-tomcat-7.0.52/webapps/host-manager.war]
[/home/nheffernan/Waratek/apache-tomcat-7.0.52/conf/context.xml]
[/home/nheffernan/Waratek/apache-tomcat-7.0.52/webapps/ROOT/META-INF/context.xml]
[/home/nheffernan/Waratek/apache-tomcat-7.0.52/webapps/docs/]
and so on..
These are raw data, and I would like extract a field that contain for each event the pathname
such as: path=/home/nheffernan/Waratek/apache-tomcat-7.0.52/webapps/host-manager.war

Thank you

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Does this work?

rex "\[(?P<path>[^\]]*)\]
---
If this reply helps you, Karma would be appreciated.

Federica_92
Communicator

Thank you,
This one works: rex "[\/(?P[^]]*)]"

But how can I export one csv file that contains only this path?

index=main| rex "[(?P[^]]*)]" | outputlookup users.csv , but in the csv file I would like have only the rex field

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Insert a fields command before the outputlookup. Only the fields listed in the command will be written to the CSV.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Federica_92
Communicator

yeah, but with fields command I have to tell to splunk the name of the rex field...

index=main| rex "[(?P[^]]*)]" | fields name rex field outputlookup users.csv

0 Karma

richgalloway
SplunkTrust
SplunkTrust

So give it a name.

index=main| rex "\[(?P<path>[^\]]*)\]" | fields path | outputlookup users.csv 
---
If this reply helps you, Karma would be appreciated.

Federica_92
Communicator

seems works! And last question, how I can add it at my query in the framework?

search: mvc.tokenSafe ("index=waratek source=$sourcename$ File:read | rex '[^*]' | fields path | outputlookup read_rules.csv")

search: mvc.tokenSafe ("index=waratek source=$sourcename$ File:read | rex "[^*]" | fields path | outputlookup read_rules.csv")

I cannot use these ways

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm not familiar with the framework. Why can you not use those ways?

---
If this reply helps you, Karma would be appreciated.
0 Karma

Federica_92
Communicator

No your query is perfect, but I have need to use it in the framework : ~)

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

What framework are you referring to?

0 Karma

Federica_92
Communicator

splunk framework

0 Karma

markthompson
Builder

Federica, looking at your framework question, the reason those won't work is because you're not creating the field.

For your reference, it'll benefit you in the long term.

rex "\[(?P<path>[^\]]*)\]"

The < path > part of the rex, creates the field called path

Using the example you supplied, this is missing.

search: mvc.tokenSafe ("index=waratek source=$sourcename$ File:read | rex '[[^*](?.+)]' | fields path | outputlookup read_rules.csv")

Try:

search: mvc.tokenSafe ("index=waratek source=$sourcename$ File:read | rex '\[(?P<path>[^\]]*)\]' | fields path | outputlookup read_rules.csv")

Credit to @richgalloway for the rex statement.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...