Splunk Search

Regex match till end of event?

Cuyose
Builder

Not sure why I cant find this, but the following is not working.

|rex field=_raw "(?i)response=(?<responseXML>.+)$"

where response= occurs somewhere in the event and always continues to the very end of a multi lined event.

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

 | rex field=_raw "response=(?<responseXML>[\S\s\r\n]*)$"

Option 2

 your base search | eval responseXML=replace(_raw,"^([\S\s\r\n]*)response=","")

View solution in original post

0 Karma

Richfez
SplunkTrust
SplunkTrust

Do you have a sample of one of the difficult, long, multi-line event that we can use for confirmation of potential solutions before posting them?

0 Karma

inventsekar
Ultra Champion

we are trying to create the rex query with just our own understanding of your issue.
could you please update us an event, and your current query, please.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

 | rex field=_raw "response=(?<responseXML>[\S\s\r\n]*)$"

Option 2

 your base search | eval responseXML=replace(_raw,"^([\S\s\r\n]*)response=","")
0 Karma

Cuyose
Builder

Cool, this worked(Option 1), but its very odd that I had to resort to this, as the first example I tried had worked in many other situations!

0 Karma

dbcase
Motivator

Have you tried erex?

http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Erex

Using erex, Splunk will attempt to write the rex pattern for you given your example string(s).

0 Karma

Cuyose
Builder

Unfortunately, while useful for smaller more specific examples, this cannot take multiple 1000 character examples across multiple lines as input.

0 Karma

sundareshr
Legend

Try this

| rex field=_raw "response=(?<msg>[^\t\n]+)"
0 Karma

Cuyose
Builder

this does not work because it only captures to the end of the current line the response= is found in.

0 Karma

sundareshr
Legend

Try this

| rex field=_raw "response=(?<msg>[^\S\t\r\n]+)"
0 Karma

inventsekar
Ultra Champion

"(?i)response=(?.+)$" -----

- you should use < and > around the variable - (?<i>) 
- (?<i>) needs to come where it will appear on the event (ie, after the "response=")

and i created few sample events ending with "response=digits"

event 1 - Extract "from" and "to" fields using regular expressions. response=101
event 2 - If a raw event contains "From: Susan To: Bob", then from=Susan and to=Bob, response=404
event 3 - source="tutorialdata.zip:./www1/access.log" response=500

and this query picks up the response codes fine.

sourcetype=responseREX | rex field=_raw "response=(?<i>.*)" | table _raw, i 

regarding the end of line $, these below two works same -
response=(?.)
and
response=(?.
)$

0 Karma

Cuyose
Builder

This only captured the first character after response=

0 Karma

Cuyose
Builder

Sorry, I had that, but I must have missed the code button and it stripped out some things.

This is not working

|rex field=_raw "(?m)Data=(?<xmlData>.+)$"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...