Splunk Search

How to use the Rex command with text copied from Field Extractor?

jrnastase
Explorer

Hello all,

I've used the field extractor to pull out the following field, but because the permissions are a little screwy I can't use it. How do I use this search expression with the Rex function to manually pull out what I want?

(?=[^P]*(?:"Required Text"|P.*"Required Text"))^(?:[^:\n]*:){7}\s+\w+\s+(?P\d+)

Apparently it's not simply rex Field =_raw "(?=[^P]*(?:Port|P.*Port))^(?:[^:\n]*:){7}\s+\w+\s+(?P\d+)" but I'm new to this and not sure!

Thanks for any help!

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Yeeaaahh, that's highly unlikely to be the optimum rex for that.

 (?=[^P]*(?:"Required Text"|P.*"Required Text"))^(?:[^:\n]*:){7}\s+\w+\s+(?P\d+)

In English - Lookahead for a first something that is a bunch of not-P followed by either "Required Text" or "a bunch of Ps and Required Text". That something can be any combination of things that aren't colons or newlines, followed by a colon, with grabbing seven of those chunks in a row, then ignore one or more spaces, one or more characters, one or more spaces again, then finally grab some decimals.

Start with this - in a search, you can use as many rexes as you want to pull out individual things. If a rex fails to match anything, then the whole rex fails.

Try this -

| rex field=_raw "\b(?<myfield>[^:\n]):\s*(?<myvalue>[^\b])" max_match=0

This assumes your data looks something like this...

  fieldname1: fieldvalue1 fieldname2:fieldvalue2

I wouldn't normally code it exactly like that, but without an example event I can't make it any more exact.

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

Yeeaaahh, that's highly unlikely to be the optimum rex for that.

 (?=[^P]*(?:"Required Text"|P.*"Required Text"))^(?:[^:\n]*:){7}\s+\w+\s+(?P\d+)

In English - Lookahead for a first something that is a bunch of not-P followed by either "Required Text" or "a bunch of Ps and Required Text". That something can be any combination of things that aren't colons or newlines, followed by a colon, with grabbing seven of those chunks in a row, then ignore one or more spaces, one or more characters, one or more spaces again, then finally grab some decimals.

Start with this - in a search, you can use as many rexes as you want to pull out individual things. If a rex fails to match anything, then the whole rex fails.

Try this -

| rex field=_raw "\b(?<myfield>[^:\n]):\s*(?<myvalue>[^\b])" max_match=0

This assumes your data looks something like this...

  fieldname1: fieldvalue1 fieldname2:fieldvalue2

I wouldn't normally code it exactly like that, but without an example event I can't make it any more exact.

ddrillic
Ultra Champion

Do you have sample data for us?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...