Solved: Extracting some Values that Match RegEx on the Fly

Makinde · ‎01-26-2016

I have data that includes computer names in my environment, the computer names follow a certain pattern which is usually a combination of alphabets and digits but exactly 7 characters.

I have the regex extrpression to match the pattern, how do I apply it in my search to identify only computer names that match that pattern.

For example, here is my search;

*index= sourcetype=windows computer_name=*(I want to include the regex pattern so it returns only values that meet my criteria.)

The regex pattern that matches the pattern is ^\w{7}$

javiergn · ‎01-26-2016

You can't prefilter using regex, but you can postfilter instead using the rex command:

index=YOURINDEX sourcetype=windows 
| regex computer_name="^\w{7}$"

Alternatively if you could get a list of all your computer names from somwhere else you could use a subsearch as:

index=YOURINDEX sourcetype=windows [| searchyourcomputernames | dedup computer_name | table computer_name]

Careful with subsearches though. The above would be the equivalent of:

index=YOURINDEX sourcetype=windows (computer_name=name1 OR computer_name=name2 OR ... OR computer_name=nameN)

View solution in original post

jeffland · ‎01-27-2016

Just to add to your options, you may be interested in this search:

index=foo | where match(computer_name, "^\w{7}$") OR match(computer_name, "kiosk")

It's basically the same as using rex to create a field and filtering, it just does it in one step. Of course you can also do it like this:

index=foo | where match(computer_name, "^\w{7}$|kiosk")

Furthermore, if you're more acquainted with SQL, you can use like instead of match:

index=foo | where like(computer_name, "%kiosk%")

See here for all the fun things to do with eval!

javiergn · ‎01-26-2016

You can't prefilter using regex, but you can postfilter instead using the rex command:

index=YOURINDEX sourcetype=windows 
| regex computer_name="^\w{7}$"

Alternatively if you could get a list of all your computer names from somwhere else you could use a subsearch as:

index=YOURINDEX sourcetype=windows [| searchyourcomputernames | dedup computer_name | table computer_name]

Careful with subsearches though. The above would be the equivalent of:

index=YOURINDEX sourcetype=windows (computer_name=name1 OR computer_name=name2 OR ... OR computer_name=nameN)

Makinde · ‎01-26-2016

Thanks Javiergn and Somesoni2.

It works now, I was using regex101 to actually test the string so I confirmed it works.

Somesoni2, your regex worked as well except that it didn't pick up a Computer_name that contained Kiosk and was more than 7 characters. Figured it out making a few changes to the Regex.

I appreciate you guys help. Thanks.

Makinde · ‎01-26-2016

Hi Javiergn,

What if I wanted to include and OR say;

index=YOURINDEX sourcetype=windows
| regex computer_name="^\w{7}$" OR computer_name=*kiosk*

How would that work?

javiergn · ‎01-26-2016

Nope.
But you can add it to your regex:

index=YOURINDEX sourcetype=windows 
| regex computer_name="(?:(^\w{7}$)|(kiosk))"

Makinde · ‎01-26-2016

Hi Javiergn,

I am tried the regex cmbination you suggested however computer names such as TCKIOSK788 or OGN_CMAKIOSK122 are left out.

I want to include any computer name that has the word "Kiosk" in it.

javiergn · ‎01-26-2016

That's probably because my regex is not case sensitive. Try this instead:

index=YOURINDEX sourcetype=windows 
 | regex computer_name="(?i)(?:(^\w{7}$)|(kiosk))"

Makinde · ‎01-26-2016

Hi Javiergn,

It doesn't still match the criteria. Not sure you understand what I want.

The KIOSK in the reg-ex seems to only match the word KIOSK but that's not what I want, I want it to match any computer_name that has the work KIOSK in it.

For example,

The current regex will identify a computer_name that is strictly "kiosk" or any 7 character computer name. But I have computer names like TCKIOSK788 or OGN_CMAKIOSK122, the common word in them is KIOSK,

How can I get the regex to pick out the whole computer_name not just the word KIOSK?

Thanks,
Makinde

javiergn · ‎01-26-2016

Apologies as I can't test this right now from my phone. I'm pretty sure the regex was matching the full computer name but if not try this instead:

index=YOURINDEX sourcetype=windows 
  | regex computer_name="(?i)(?:(^\w{7}$)|(\w+kiosk\w+))"

javiergn · ‎01-26-2016

Please keep in mind you can test your regex from www.regex101.com. Simply remove the double quotes around it from the regex above and paste it in the regex box. Then try a few examples to confirm it's working as expected.

somesoni2 · ‎01-26-2016

How about this

index=YOURINDEX sourcetype=windows 
  | regex computer_name="(?i)(?:(^\w{7}$)|(.*kiosk.*))"

somesoni2 · ‎01-26-2016

Try something like this

index= sourcetype=windows | regex computer_name="^w{7}$"

Extracting some Values that Match RegEx on the Fly

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!