Splunk Search

how can i use rex to match multiple keywords in a file name

Tridi123
New Member

i have key words like project, plan ,lease
now if any file name if these key word hits i need to find which keywords have hitted. if my file mane is Project_plan gamil.doc then keywords hitted are project and plan.
MY query is like

mysearch | rex field=source "(?(?i)(project))" | table _time found_project source _raw
but when i am writing like

mysearch | rex field=source "(?(?i)(project|plan|lease))" | table _time found_project source _raw
its not working as the column found_project is only containing Plan or project not those two field together for Project_plan gamil.doc but i want my found_project column contain data like Project,plan
as two key words have been hit.

In java scripts there is one coomand a=string.match(regex);a cloumn will contain all the data that match with regex.I want to do the same with splunk. Can anyone help in this regards.

Tags (1)
0 Karma

ayme
Splunk Employee
Splunk Employee

Doesn't using max_match do the trick?

... | fields source | rex field=file max_match=999999 "(?<found_project>(?i)(project|plan|lease|someotherterm))" | table _time found_project source

alt text

0 Karma

Tridi123
New Member

can nomv help on this requirement??

0 Karma

Tridi123
New Member

project_plan_project.doc project
plan

0 Karma

Tridi123
New Member

thjanks for ur help.I thought about mv expand but it was coming as

project_plan_project.doc project

project_plan_project.doc plan

but my final table will be like

project_plan_project.doc project
plan

that is found_project at last will be multivalued filed
only project will come once.
Is there any query in Splunk for this ?

0 Karma

ayme
Splunk Employee
Splunk Employee

... | fields source | rex field=file max_match=999999 "(?(?i)(project|plan|lease|someotherterm))" | table _time found_project source | mvexpand found_project | dedup found_project, source

0 Karma

Tridi123
New Member

if my file name is project_plan_project.doc
then under found project plan is coming twice like
Plan
Project
project

Is there any slution so that project come only once i used dedup but it wont wok. Can u help me?

0 Karma

MHibbin
Influencer

You could try the following:

Define your rex:

mysearch | rex field=source "(?<found_project>(?i)(project))"

Create a "match" field:

..| eval match=1

Create a lookup with your keywords and the match column, e.g. for keywords.csv (this will need to be set up on server side):

match,keyword
1,plan
1,lease

I've taken project out as you have already extracted this in the field, so you could always add it back in as another row.

Perform a lookup on the match field to add in your values:

..|lookup keywords match output keyword

This should add all the values to your events, so expand them out:

..|mvexpand keyword

Then filter out any matching events:

..| where match(keyword,found_project)

I have not tested this, but I have used similar solutions before when looking for keywords.

Hope this helps.

MHibbin
Influencer

If you extract the found_project field and project_plan.doc is one of the values for that field. The match will exclude any events that do not match the keyword, other than that I'm not sure I understand the question...

0 Karma

Tridi123
New Member

in which way i will pass the file name
Project_plan.doc because i have to match with filename whether this key words are present in file name or not to lookup query?Can u help once more please

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...