Solved: Multiple REX from single search

MasterOogway · ‎07-30-2012

I have some sendmail logs that send the following different entries within the data streams:

disposition=abc123

disposition=abc123, followed by some stuff.

disposition=xyz-123

disposition=xyz-123, followed by some stuff.

And I need to build one REX statement that allows me to call what comes after the "=" sign an errorcode. How can define multiple REX's from one search string?

Here is an example that works, but also pulls too much information after location the errorcode.

index=sendmail | rex "disposition=(?.*?)$" < ---sorry, the editor won't define my angle bracket, word, angle bracket that is between the first ? and the second?

It pulls everything after the errorcode including addtional characters, words and numbers and I need to grab strong text only.

Any thoughts on how to build a multi REX statement within one search query and defining each found errorcode as an incident?

richgalloway · ‎07-30-2012

Perhaps something like "disposition=(?P[^\n,]*),?" will help.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎07-30-2012

Perhaps something like "disposition=(?P[^\n,]*),?" will help.

---
If this reply helps you, Karma would be appreciated.

Multiple REX from single search

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor