Okay, here we go. Let's get the basics out of the way. We run Splunk Enterprise 6.6.4, on-prem, from Linux based servers (RedHat). We have 4 indexers, but they aren't clustered, they are just autoLB. I don't think any of this will effect my question, but I like to set the stage.
I'm the Splunk admin for our organization, and while I can muddle my way through Regex, I'm not great with it. I have a situation where there is a data source that throws multiple "records" into a single Splunk "event". This data source is coming off of a mainframe feed where I don't really have the option of altering the source data. Every "record" within the "event" starts with a userid that can be any letter, number or character and may be somewhere between 1 and 8 characters. That user id is followed immediate by a space, 9 dashes, another space and then the word "STRING(S)". I basically need a regex that will pull out each "record" into its own string. I have been able to write a regex that successfully pulls out every other record, but because I have to use the " --------- STRING(S) FOUND" as the terminating string as well as the starting string, I don't know how to tell it to read the terminating string to determine the record is over, but then effectively back up and use the terminating string of one record as the starting string of the next record. Further adding to the complexity is the fact that there may be several CR LF (carriage return, line feed) hidden characters in the string that I want to capture. I've included some sample data, and in the sample data, I need to capture from "@1YMD" down to, but not including "@2EDA". Then, I need the next capture string to go from "@2EDA" and go up to but not include "@2EDC" (and then so on, and so forth through the whole event). I want to capture everything from the word prior to " --------- STRING(S)" to the next occurrence of " --------- STRING(S)" without reading the second userid, so that it is available to start the next record. I've tried non capture groups and having it "give back" some of the characters, but I can't get it just right. This is as close as I've gotten:
(?<member_string>(?<member>[a-zA-Z0-9\@]{1,8})\s+---------\sSTRING\(S\).*?)\s[a-zA-Z0-9\@]{1,8}\s---------\sSTRING(S)
I'm really hoping this makes sense to all of you, and that I don't sound like an idiot. Any help would be appreciated.
Sincerely,
Matthew Granger
P.S. - I've tried to clean up the regex to display properly in the "preview" to show less than and greater than symbols and such, hopefully I've do okay
@1YMD --------- STRING(S) FOUND ------------------- 1 00001000$KEY(1YMD) TYPE(AKC) 2 00002000 UID(EJB7) ALLOW 3 00003000 UID(EJC7) ALLOW 4 00005000 UID(EJF4) ALLOW 5 00006000 UID(EJF5) ALLOW 6 00007000 UID(EJ03) ALLOW 7 00008000 UID(EJ18) ALLOW 8 00009000 UID(EJ19) ALLOW 9 00010000 UID(EJ20) ALLOW 10 00011000 UID(EJ21) ALLOW 11 00013000 UID(EJ54) ALLOW 12 00014000 UID(EJ55) ALLOW 13 00015000 UID(EJ58) ALLOW 14 00016000 UID(EJ62) ALLOW 15 00017000 UID(E*KG01) ALLOW 16 00018000 UID(EKL00) ALLOW @2EDA --------- STRING(S) FOUND ------------------- 2 00001000$KEY(2EDA) TYPE(AKC) 3 00002001 UID(EJ19) ALLOW 4 00002101 UID(EJ20) ALLOW 5 00002202 UID(EJ21) ALLOW @2EDC --------- STRING(S) FOUND ------------------- 2 00001000$KEY(2EDC) TYPE(AKC) 3 00002000 UID(EJB7) ALLOW 4 00003000 UID(EJF4) ALLOW 5 00004000 UID(EJF5) ALLOW 6 00005000 UID(EJ03) ALLOW 7 00007000 UID(EJ18) ALLOW 8 00008000 UID(EJ19) ALLOW 9 00009000 UID(EJ20) ALLOW 10 00010000 UID(EJ21) ALLOW 11 00011000 UID(EJ54) ALLOW 12 00012000 UID(EJ58) ALLOW 13 00013000 UID(EJ60) ALLOW 14 00014000 UID(EKL00ON) ALLOW
ISRSUPC - MVS/PDF FILE/LINE/WORD/BYTE/SFOR COMPARE UTILITY- ISPF FOR z/OS 2017/12/20 0.15 PAGE 6 LINE-# SOURCE SECTION SRCH DSN: SECURITY.ACF2AKC.RULES 15 00015000 UID(E**I9) ALLOW @2EMT --------- STRING(S) FOUND ------------------- 2 00001000$KEY(2EMT) TYPE(AKC) 3 00002000 UID(EJB7) ALLOW 4 00003000 UID(EJF4) ALLOW 5 00004000 UID(EJF5) ALLOW 6 00005000 UID(EJ03) ALLOW 7 00007000 UID(EJ18) ALLOW 8 00008000 UID(EJ19) ALLOW 9 00009000 UID(EJ20) ALLOW 10 00010000 UID(EJ21) ALLOW 11 00011000 UID(EJ54) ALLOW 12 00012000 UID(EJ58) ALLOW 13 00013000 UID(EJ60) ALLOW 14 00014000 UID(EKL00ON) ALLOW 15 00015000 UID(E****I9) ALLOW @2FCS --------- STRING(S) FOUND ------------------- 2 00001000$KEY(2FCS) TYPE(AKC) 3 00002000 UID(EJB7) ALLOW 4 00003000 UID(EJF4) ALLOW 5 00004000 UID(EJF5) ALLOW 6 00005000 UID(EJ03) ALLOW 7 00007000 UID(EJ18) ALLOW 8 00008000 UID(EJ19) ALLOW 9 00009000 UID(EJ20) ALLOW 10 00010000 UID(EJ21) ALLOW 11 00011000 UID(EJ54) ALLOW 12 00012000 UID(EJ58) ALLOW 13 00013000 UID(EJ60) ALLOW 14 00014000 UID(EKL00ON) ALLOW 15 00015000 UID(E*******I9) ALLOW
... View more