Splunk Search

Regex for two similar statements to put in transforms.conf ?

dmacgillivray
Communicator

Hello, thanks for everyones assistance on MV_ADD=True response on my last question regarding
multivalued pairs.. Now I have the result of a MV_ADD=True below. Very cleanly they are seperated by 1 & 2 below.

1)new_user
2)original_user

Problem I am having now is to be able to write a regex with field seperators for the two blocks below. Knowing the data inside the fields might change, the field names should not.
Would anyone be able to assist?

Thank You in advance
Daniel MacGillivray

new_user=[userid:[BOBS_MZS_Truck3rdlnsupp1] firstname:[Truck3rdlnsupp1] lastname:[LN] email:[] certdn:[] properties:[[name=ContactID isset=false], [name=ctscPasswordResetAttempts isset=false], [name=ctscSecretQuestionAnswer isset=false]] account_start_date:[Mar 12, 2014 6:08:47 PM] account_expiry_date:[Jan 1, 4712 6:08:47 PM] islockedout:[false] isactive:[true] passwordexpiry_date:[Aug 14, 2014 11:59:26 AM] admin_group:[Person User Admin Group] ispublic:[true]]

original_user=[userid:[BOBS_MZS_Truck3rdlnsupp1] firstname:[Truck3rdlnsupp1] lastname:[LN] email:[] certdn:[] properties:[[name=ContactID isset=false], [name=ctscPasswordResetAttempts isset=false], [name=ctscSecretQuestionAnswer isset=false]] account_start_date:[Mar 12, 2014 6:08:47 PM] account_expiry_date:[Jan 1, 4712 6:08:47 PM] islockedout:[true] isactive:[false] passwordexpiry_date:[Aug 6, 2014 6:02:47 PM] admin_group:[Person User Admin Group] ispublic:[true]]

Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

This should get you started.

[\s\S]*userid:\[(?<userid>[\s\S]+)] firstname:\[(?<firstname>[\s\S]+)] lastname:\[(?<lastname>[\s\S]+)] 

Put it into RegExr along with your sample events and you should be able to finish your regex string in short order.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This should get you started.

[\s\S]*userid:\[(?<userid>[\s\S]+)] firstname:\[(?<firstname>[\s\S]+)] lastname:\[(?<lastname>[\s\S]+)] 

Put it into RegExr along with your sample events and you should be able to finish your regex string in short order.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, this string should work in a REGEX statement in your transforms.conf file or in a rex search statement.

---
If this reply helps you, Karma would be appreciated.
0 Karma

dmacgillivray
Communicator

Delayed thank you !!

0 Karma

dmacgillivray
Communicator

Hi Rich, Thanks for the help on this. So I should be able to use this as a sample in the transforms ? Or inside the regex extractor tool in Splunk. Either way, thank you.

Daniel

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...