Splunk Search

How to extract name from multiple sources using rex

ibob0304
Communicator

I am trying to extract one name from source using rex.

index=*source=* | rex field=source "\\\\\\\domain\\\prod\\\(?<Application>.+?(?=\\\))

Above query list me the application names from the source. But now I want to join another different source.

\\\\\\domain\\\Logs\\\Prod\\\cluster1\\\(?<Application>.+?(?=\\\))"

So I tried joining both the rex to get the Application names.

index=* source=* | rex field=source "\\\\\\\domain\\\prod\\\(?<Application>.+?(?=\\\)) & \\\\\\domain\\\Logs\\\Prod\\\cluster1\\\(?<Application>.+?(?=\\\))"

I thought it will extract the names from both the source locations but it is not working.

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi,

try this solution.

| rex field=source "(?J)(?:\\\\\\\domain\\\prod\\\(?<Application>.+?)(?=\\\))|(?:\\\\\\\domain\\\Logs\\\Prod\\\cluster1\\\(?<Application>.+?(?=\\\)))"

@cpetterborg: And that's where you are wrong 😉 --> look up (?J) 😛

0 Karma

ibob0304
Communicator

It didn't worked. "Regex: missing closing parenthesis" I have added ) at the end and ran without error but only showed application from one path.

0 Karma

horsefez
SplunkTrust
SplunkTrust

@ibob0304 if it worked for you, I would apprechiate if you would accept my answer 😉

0 Karma

FrankVl
Ultra Champion

Why not limit the | construct to only the part of the regex that has multiple options?

index=* source=* | rex field=source "\\\\\\\domain(\\\prod\\\|\\\Logs\\\Prod\\\cluster1\\\)(?<Application>.+?(?=\\\))

Alternatively, just add 2 separate rex commands for each flavor. I'd especially recommend that if you expect to be adding more variants in the future, because otherwise the regex will become very hard to read.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

You cannot have two named capture groups with the same name in a single rex. That means that in your rex you have Application in two different capture groups. This is not allowed. Also, I think that you are trying to do the joining of the two with the &, which also will break it all. Post some example data here and you'll probably get an answer which will help you get the data that you want.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...