Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I develop a rex command that extracts non-contiguous characters into one capturing group?

pc1234
Explorer
‎09-27-2016 06:39 AM

I need some assistance coding a rex statement to extract data from events generated by a Powershell script.
Sample data:

Name                                   Port        Description             Protocol
Windows remote mgmt                 RPC 135     @FirewallAPI              TCP
Corenet-12345                         421                                    TCP
Port 75 and 443                                                              UDP

I have two questions:
1) How do I extract non-contiguous characters into one capturing group (one for name and the other for port)
2) How do I handle cases where one or more fields are blank? (in this case, the port in the second row and both the port and description in the third row?

Thanks in advance for your help.

0 Karma
Reply

lakromani
Builder
‎09-28-2016 02:08 AM

If data are at fixed length, you can do some like this:

(?<name>.{39})(?<port>.{15})(?<info>.{26})(?<protocol>.+)

Look at this:
https://regex101.com/r/RwdS6Y/2

0 Karma
Reply

davebrooking
Contributor
‎09-28-2016 12:48 AM

Hi

Does your data really look like that, with the fields always fixed length as you have shown, or can the fields be variable length?

Dave

0 Karma
Reply

bcdady
Explorer
‎09-27-2016 06:50 PM

What options do you have to modify the generating PowerShell cmdlet or function?
We might be able to avoid having to use RegEx / rex altogether. Since the various, .Name, .Port, .Description and .Protocol are all properties of the object(s) returned by the calling PowerShell, you could consider formatting the output as CSV, XML or at least another delimited output that would be easier to parse with rex.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...