I want to tag events based on a regex

paulbruno · ‎05-06-2014

Example: If the event's source field the word FOO i want to tag it as foo.
If the event contains XML ( i.e. <(.?)>.<(\1)> ) I want to be able to tag it XML.

This way I can do queries like tags:XML and it will only return events I have tagged as XML.

I can easily do this in other logging solutions such as logstash but I can't seem to find a way to do it in Splunk. Thanks.

paulbruno · ‎05-06-2014

Answering my own question: Since eventtypoes can't handle a regex....

I created an extraction regex that matches opening/closing elements and perform a subquery on that field

| rex field=_raw "(?s)<(?<xml>\w+?.*?)>.*</\\g{1}>" | search xml=*

Won't catch singular empty elements (i.e. ) but its good enough for my purposes

Hope this might help someone some day 🙂

lguinn2 · ‎05-06-2014

Use an eventtype to define a search for FOO or XML or whatever. Search using the eventtype

eventtype=FOO

or whatever you named it. You can also tag eventtypes, so if you give the FOO eventtype a tag, you can use that tag to search

tag=FOO

assuming that you named the tag FOO

More info: Create an Eventtype

paulbruno · ‎05-06-2014

Hi I appreciate the response. My FOO is not a constant string, it could be a REGEX like the one I am using to search for matching XML elements. Also it needs to go against the source field, not _raw.

Am I able to do this?

tag=<(.?)>.<(\1)>

e: seems this form is stripping asterix and other special characters I am unable to post the exact regex here.

paulbruno · ‎05-06-2014

should read: " If the event's source field CONTAINS the word..." I am unable to edit my post because this sites captchas don't work.

I want to tag events based on a regex

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!