cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Nikobobinus
Explorer
Member since: ‎01-06-2017
‎07-12-2024
Community Statistics
Posts 4
Solutions 0
Karma Given 3
Karma Received 2
Member Since ‎01-06-2017
Activity Feed
View All

Re: Help in optimising a horrible regex (46K+ step...

by in Splunk Search
‎07-12-2024 01:50 AM
‎07-12-2024 01:50 AM
@ITWhispererand @PickleRick thank you both very much! Technically PickleRick's mimics the precise result better, but takes c.13K steps, while ITWhisperer's answer takes just 332 steps and leaves a leading hyphen (which is easy enough to strip out). I'm going to accept ITWhisperer's as the solution for it's efficiency, but wanted to call out that PickleRick's result, as a pure regex solution, is technically better. Thank you both! ... View more

Help in optimising a horrible regex (46K+ steps)

by in Splunk Search
‎07-11-2024 08:11 AM
‎07-11-2024 08:11 AM
Hi Splunkers, I am trying to extract a string within a string, which has been repeated, with the addition of some pre- and -post fixes, only the very start and end of the string are static values ('AZ-' and '-VMSS'). Example data: AZ-203-dev-app-1-build-agents-203-dev-app-1-build-agents0006GA-1720624093-VMSS AZ-eun-dev-005-pqu-ado-vmss-eun-dev-005-pqu-ado-vmss005X89-1720625975-VMSS AZ-DEV-CROSS-SUBSCRIPTION-PROXY-EUN-BLUE-DEV-CROSS-SUBSCRIPTION-PROXY-EUN-BLUE000000-1720637733-VMSS   I have a working rex command to extract the relevant data (temp_hostname4): | rex field=source_hostname "(?i)^AZ(?<cap1>(-[A-Z0-9]+)+)(?=\1[A-Z0-9]{6})-(?<temp_hostname4>([A-Z0-9]+-?)+)-\d{10}-VMSS$"   Which correctly extracts: 203-dev-app-1-build-agents0006GA eun-dev-005-pqu-ado-vmss005X89 DEV-CROSS-SUBSCRIPTION-PROXY-EUN-BLUE000000   But let's face it, this is horrible! According to regex101 this takes 46K+ steps, which can't be nice for Splunk to apply to c.20K records several times per day. Can anyone suggest optimisations to bring that number down?   For added complication (and for clarity to anyone reading this) it's temp_hostname4 because there are multiple other ways the hostname might have been... manipulated before it gets to Splunk, sometimes with the string repeated, sometimes not, resulting in the following SPL - I could use coalesce rather than case, but that's hardly important right now, and separating the regex statements seemed like the saner thing to do in this instance 😉 | rex field=source_hostname "(?i)^AZ(?<cap1>(-[A-Z0-9]+)+)(?=\1[A-Z0-9]{6})-(?<temp_hostname4>([A-Z0-9]+-?)+)-\d{10}-VMSS$" | rex field=source_hostname "(?i)^AZ-(?<temp_hostname3>[^.]+)-\d{10}-VMSS$" | rex field=source_hostname "(?i)^AZ-(?<temp_hostname2>[^.]+)-\d{10}$" | rex field=source_hostname "(?i)^(?<temp_hostname1>[^.]+)_\d{10}$" | eval alias_source_of=case( !isnull(temp_hostname4), temp_hostname4, !isnull(temp_hostname3), temp_hostname3, !isnull(temp_hostname2), temp_hostname2, !isnull(temp_hostname1), temp_hostname1, 1=1, null() ) Any suggestions for optimisations of the regex would be gratefully appreciated. ... View more
Labels

Re: Has anyone successfully gathered logs from WSU...

by in Getting Data In
‎05-04-2020 05:58 AM
2 Karma
‎05-04-2020 05:58 AM
2 Karma
I found that using SQLCMD and outputting to a CSV was the best option, so i scheduled this as a task; sqlcmd -S np:\.\pipe\MICROSOFT##WID\tsql\query -i D:\TTAS\WSUS_query\WSUS_query.txt -o D:\TTAS\WSUS_query\hotfixes.csv -W -s "," Which executes the query in WSUS_query.txt and outputs to hotfixes.csv. W trim whitespace s "," use comma as delimiter The query i used is this: use SUSDB select CURRENT_TIMESTAMP as datetime, ct.FullDomainName, ct.IPAddress, ctd.OSBuildNumber, ct.LastReportedStatusTime, uV.DefaultTitle, uspc.SummarizationState, uv.KnowledgebaseArticle from tbComputerTarget ct left join tbUpdateStatusPerComputer uspc on uspc.TargetID=ct.TargetID left join tbUpdate u on u.LocalUpdateID = uspc.LocalUpdateID left join [SUSDB].[PUBLIC_VIEWS].[vUpdate] uV on uV.UpdateId = u.UpdateID left join tbComputerTargetDetail ctd on ctd.TargetID=ct.TargetID order by FullDomainName , "DefaultTitle" desc Then it's simple Splunking 🙂 ... View more

Re: Why are fields returning true for both isNum()...

by in Splunk Search
‎12-03-2018 02:57 AM
‎12-03-2018 02:57 AM
Under which scenarios does isstr return false then other than empty/null? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-12-2024 01:46 AM
Karma from
View All
Karma given to